Hajra Naz
A single poisoned notification could have taken control of Google Gemini’s voice assistant on Android. The trigger could come from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger. After activation, the system could open connected apps, send fake messages from contacts, start a Zoom call, or alter Gemini’s stored memory.
No malicious app was needed. The assistant only had to treat a harmful notification as trusted input. The findings come from SafeBreach researcher Or Yair, building on earlier research that used Google Calendar invites as an attack method.
Google has patched the issue. No CVE was assigned, and there is no sign it was used in real attacks.
How the attack worked
On Android, Gemini can read and respond to notifications through its Utilities feature. This works with apps like WhatsApp. The feature does not exist on iOS or web versions, so Android becomes the target.
Researchers found that Gemini can treat notification text as instructions. That turns any notification source into a possible entry point.
At a basic level, an attacker could change Gemini’s responses. It could even fake messages from real contacts. For example, it could say a manager sent a Drive link request. While driving or multitasking, users may not question it.
A second method made it harder to detect. Gemini would first load real notifications. Then it would attach a fake instruction to a real sender name. No prior access to the victim was needed.
Read More: Gemini Now Lets You Import chats and personal information from Other Chatbots
Bypassing Google protections
Google already added safety checks to block risky actions. These checks compare user replies with recent assistant output.
Simple delayed instructions failed those checks.
Researchers then tested a workaround called Fake Context Alignment. It used two tricks at the same time.
One version mixed languages. Gemini asked a sensitive question in another language, then followed with harmless text in English. Users often ignored the foreign text and responded to the visible part.
Another version hid instructions inside links. Gemini’s voice output skipped the link content, but the system still processed it.
Together, these methods bypassed existing protections in controlled tests.
What attackers could do
If successful, the attack could go far beyond messages.
It could trigger smart home actions through Google Home. Lights, windows, and devices could be controlled. It could also track location through IP data or force file downloads.
In one test, Gemini was pushed into a Zoom link and forced to join a live call with video enabled.
The most serious issue was memory poisoning. Gemini could store false data as permanent memory. That memory would sync across all devices linked to the account.
Attackers could also schedule repeating actions, for example, reading messages every evening without user approval.
Fix and response
SafeBreach reported the issue to Google in August 2025. Google confirmed a fix in November 2025 after updating internal detection systems.
The change was applied on the server side. No user update is needed.
Google also credited the researchers and confirmed the work helped improve AI safety systems.
Read More: Google’s Gemini Becomes One of the World’s Largest AI Apps With 750M Users
User safety steps
Users can reduce risk by turning off utilities in Gemini settings. Another option is disabling notification access for the Google app on Android.
In markets like Pakistan, where WhatsApp and Android are widely used, the research highlights a new class of AI-related security risks tied to everyday notifications.
