Danny Weber
Researchers discovered a prompt injection vulnerability in Google Gemini on Android that could hijack the assistant via malicious notifications. Google deployed a server-side fix.
Researchers at SafeBreach uncovered a serious vulnerability in Google Gemini on Android devices that could hijack the assistant's logic via malicious notifications from apps like WhatsApp and Slack. The issue stemmed from prompt injection—an attack where the AI interprets external text as an instruction rather than data. Google has already rolled out a server-side fix.
Researcher Or Yair demonstrated the flaw. He discovered that Gemini’s Utilities feature, which helps the assistant read notifications and perform actions on Android, could be fooled by a specially crafted message. No malicious app installation was necessary; simply receiving a poisoned notification was enough, as Gemini then processed it as part of its context.
To get around Google’s defenses, SafeBreach employed a technique called Fake Context Alignment. In one case, a malicious notification prompted Gemini to ask for permission in a language the user likely didn’t understand—Chinese, for instance. The assistant then switched back to English and posed an innocuous question like “Is that all you need?” When the user said “yes,” the system interpreted that as approval for the concealed command.
In another variation, the instruction was tucked inside a muted hyperlink. Gemini didn’t read it aloud, but a permission request appeared on the screen. The user heard something about a minor error and responded “yes” by voice, believing they were confirming a dialog, while the system could simultaneously approve whatever was displayed on screen.
Once the check was bypassed, the potential consequences were serious. During testing, researchers managed to control smart home devices, force the phone to join a Zoom call without clear confirmation, schedule tasks to regularly read private messages, and even corrupt Gemini’s memory. The last outcome is particularly concerning: the assistant could store a false fact at the account level, and that corruption would then propagate to the user’s other devices.
SafeBreach disclosed the issue to Google via its bug bounty program last August. Google treated it as a high-priority problem and has already deployed a server-side fix for the content classification systems. Users don’t need to install a separate app update, but the incident highlights how complicated AI assistant security becomes when these assistants have access to notifications, apps, and personal context.
© RusPhotoBank