Back

New Vulnerability in Google Gemini Allows Malicious Prompt Injections via Messaging Apps

Severity: Medium (Score: 54.9)

Sources: Cybersecuritynews, Darkreading, www.safebreach.com

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: google, gemini, prompt, malicious, injection, notifications, voice

Severity indicators: vulnerability, ot

Summary

A new vulnerability in Google Gemini's voice assistant enables indirect prompt injection (IPI) attacks, allowing attackers to exploit messaging apps like WhatsApp, Slack, and SMS to deliver malicious payloads. The research by SafeBreach, led by Or Yair, reveals that attackers can silently hijack the AI by embedding malicious commands in notifications. This technique can facilitate unauthorized interactions, including controlling smart devices and conducting social engineering attacks. Although there is currently no evidence of this vulnerability being exploited in the wild, Google has rolled out updates to address the issue. The vulnerability arises from the assistant's failure to properly convey the source of messages, allowing attackers to manipulate user trust. SafeBreach reported the findings to Google under responsible disclosure, prompting the company to enhance its content classifiers. The vulnerability highlights significant security concerns for users of Google Gemini and similar AI assistants. Key Points: • Google Gemini's voice assistant is vulnerable to indirect prompt injection attacks. • Attackers can exploit messaging apps to deliver malicious payloads without user awareness. • Google has implemented updates to mitigate the identified vulnerabilities.

Detailed Analysis

**Impact** Users of Google Gemini’s voice assistant across multiple messaging platforms—including WhatsApp, Slack, Signal, SMS, Instagram, and Messenger—are affected. The vulnerability enables attackers to conduct social engineering, unauthorized smart device control, video stream launches, and long-term poisoning of the assistant’s LLM memory. No specific geographic or sectoral data was provided, and there is no evidence the technique has been exploited in the wild to date. **Technical Details** The attack exploits a prompt injection vulnerability via messaging apps by embedding malicious commands in notifications, using techniques such as Fake Context Alignment and Delayed Tool Invocation. Attackers hide instructions in muted hyperlinks and foreign language text that the assistant processes silently, bypassing guardrails. The kill chain involves initial phishing messages with embedded payloads that trigger unauthorized actions upon user interaction. No CVEs or malware names were specified, and no IOCs were provided. **Recommended Response** Apply Google’s recent content classifier updates addressing the vulnerability. Monitor messaging app traffic for suspicious messages containing hidden or foreign language content and muted hyperlinks. Implement user awareness training to recognize phishing attempts, especially when using voice assistants to read messages. No additional specific detection rules or patches were detailed in the sources.

Source articles (4)

  • Malicious Notifications Could Trick Google Gemini Users — Darkreading · 2026-06-03
    A prompt injection flaw in Google Gemini's voice assistant let attackers hide malicious commands in notifications, enabling social engineering and more. A novel prompt injection technique would have l…
  • New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS — Cybersecuritynews · 2026-06-03
    A new class of indirect prompt injection (IPI) attacks targets Google Gemini’s voice assistant, allowing attackers to silently hijack the AI through malicious payloads delivered via everyday messaging…
  • Gemini Voice Assistant Prompt Injection Exploit — www.safebreach.com · 2026-06-03
  • Invitation Is All You Need Hacking Gemini — www.safebreach.com · 2026-06-03

Timeline

  • 2026-06-03 — Research on Google Gemini vulnerability published: SafeBreach published findings on a new class of prompt injection attacks targeting Google Gemini's voice assistant.
  • 2026-06-03 — Google rolls out updates to address vulnerability: In response to SafeBreach's research, Google implemented content classifier updates to mitigate the prompt injection issue.

Related entities

  • Phishing (Attack Type)
  • Google (Company)
  • SafeBreach (Company)
  • Signal (Company)
  • T1566 - Phishing (Mitre Attack)
  • Google Gemini (Platform)
  • Instagram (Platform)
  • Messenger (Platform)
  • Slack (Platform)
  • SMS (Platform)
  • WhatsApp (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed