### The Vulnerability: Poisoned Notifications Security researcher **Or Yair** of **SafeBreach** uncovered a novel method to bypass existing prompt injection defenses in **Google Gemini**. A single poisoned notification from popular apps like **WhatsApp**, **Slack**, **SMS**, **Signal**, **Instagram**, or **Messenger** could have been enough to compromise the voice assistant. The exploit allowed attackers to make Gemini open connected windows, fake messages from contacts, initiate video calls, or subtly corrupt its stored memories. Crucially, this attack required no prior installation of a malicious app on the victim's phone. Gemini simply had to process a hostile notification as legitimate context. ### Bypassing Previous Defenses This research builds on **SafeBreach**'s earlier work, "Invitation Is All You Need," which demonstrated similar prompt injection techniques via malicious **Google Calendar** invites. Following that discovery, **Google** implemented server-side mitigations to harden **Gemini** against indirect prompt injection. However, Yair's latest findings revealed a new bypass. **Google** has since patched this specific issue, and **SafeBreach** confirms there is no evidence of the technique being exploited in the wild, nor has a CVE been assigned. ### Android-Specific Attack Vector The vulnerability primarily affected **Android** users because **Gemini**'s "Utilities feature" can read and respond to notifications from various apps. This functionality is not present on iOS or web versions of Gemini, making the attack vector **Android**-exclusive. Yair discovered that the agent responsible for reading these notifications interpreted their text as actionable instructions. This meant any application capable of pushing a notification to an **Android** device could deliver a payload, creating an attack surface described as "**effectively infinite**." ### Initial Impacts: Faking Output At a minimum, attackers could rewrite **Gemini**'s spoken responses, including faking messages from specific contacts. Imagine driving, not looking at your screen, and hearing, "your manager asked you to upload the docs to this Drive folder." Such a message, especially when Gemini loads real notifications and attributes the fake message to the first genuine sender, would be incredibly difficult to second-guess. ### The Sophisticated Bypass: Fake Context Alignment **Google**'s post-"Invitation" mitigations were designed to prevent **Gemini** from executing sensitive actions (like opening an app) without explicit user authorization. When a user responded "Yes" to a sensitive action, **Google**'s system checked if the user's reply aligned with **Gemini**'s last output. An injected, out-of-context instruction would typically be refused. Yair's bypass, dubbed **Fake Context Alignment**, cleverly circumvented this by running two simultaneous illusions:  * **Obfuscated Authorization:** **Gemini** would ask the real authorization question (e.g., "Do you want to open the window?") in a language the victim didn't speak (e.g., Chinese). Immediately after, it would follow up in English with an innocuous phrase like "Is that all you needed?" The user, brushing off the foreign text as a glitch, would say "Yes," and the backend would erroneously link that "Yes" to the Chinese authorization. * **Muted Prompts:** The text-to-speech functionality of **Gemini** skips hyperlinks embedded within clickable text. An attacker could embed the malicious question within a hidden link that **Gemini** would never read aloud. The screen might silently display "Do you want to open the window?" while **Gemini** audibly says, "I'm sorry, I had an error, are you there?" A user's "Yes" would then be interpreted by the system as consent to the on-screen prompt. By combining these two techniques, an attacker could craft a payload that sounded like a normal English exchange while successfully clearing **Google**'s newest security checks. ### Extended Impacts and Persistence Once past the authorization gate, the impacts were significant and extended beyond previous research: * **Smart Home Control:** Exploiting integration with **Google Home**, attackers could manipulate connected devices like windows, boilers, and lights. * **Tracking and Downloads:** Opening malicious URLs could facilitate geolocation via IP addresses or push file downloads to the victim's device. * **Cross-Application Hijacking:** Demos showed **Gemini** redirecting to app links (e.g., a **Zoom** meeting), forcing the phone to join and stream video. This occurred because **Gemini** initially trusted a domain that served clean content before a subsequent redirect to the malicious app link. * **Memory Poisoning:** Unlike previous techniques, **Fake Context Alignment** could simulate consent, allowing **Gemini** to persistently save attacker-chosen facts. In one demo, the victim's name was stored as "Danny." Since this memory is account-level, the poisoned fact would follow the victim across all devices using that **Google** account. * **Scheduled Persistence:** Attackers could establish recurring tasks, such as scheduling **Gemini** to read the victim's recent messages daily. ### Remediation and User Actions **SafeBreach** reported their findings to **Google**'s Vulnerability Reward Program on August 17, 2025. **Google** prioritized the issue, confirming on November 14, 2025, that improvements to content classifiers had successfully mitigated the notification injections and the Delayed Tool Invocation bypass. As the fix was implemented server-side, no app update is required from users. However, privacy-conscious individuals can still control **Gemini**'s access to notifications by disconnecting the Utilities app in **Gemini**'s Connected Apps settings or by revoking the "Notification read, reply & control" permission for the **Google** app on **Android**.