Google Gemini Vulnerability Exploited via Malicious Notifications

A newly discovered vulnerability in Google Gemini's voice assistant allows attackers to exploit indirect prompt injection through notifications from popular messaging apps like WhatsApp and Slack. Researchers at SafeBreach demonstrated that malicious commands can be embedded in notifications, enabling unauthorized actions such as faking messages, controlling smart devices, and altering memory. This technique, termed 'Fake Context Alignment,' does not require the installation of malicious apps. The vulnerability was reported to Google on August 17, 2025, and mitigated by November 14, 2025. Although Google has since implemented content classifier updates, there are currently no known instances of this exploit being used in the wild. The attack highlights the risks associated with voice assistants processing third-party content without adequate safeguards.

Key Points: • Google Gemini's voice assistant is vulnerable to indirect prompt injection via notifications. • Attackers can manipulate the assistant to perform unauthorized actions without malicious app installation. • The vulnerability was reported in August 2025 and mitigated by November 2025, with no known active exploits.