Gemini Flaw Let Hackers Exploit Android Notifications
SafeBreach researchers said malicious WhatsApp, Slack and SMS messages could manipulate Gemini on Android before Google mitigated the issue.
News
- TCS Ties Up With Anthropic to Push Claude Into Enterprise AI
- Karnataka Shortlists 256 Deeptech Startups for ELEVATE NxT Finale
- Reliance-Backed Addverb Eyes $100 Million for Robotics Push
- Anthropic Releases Claude Fable 5 and Mythos 5
- Meta to Lease First AI Data Center in India From Reliance
- Musk Says Space AI Data Centers Are Within Reach as SpaceX Nears IPO
[Image source: Krishna Prasad/MITSMR India]
Cybersecurity firm SafeBreach said its researchers have found a Google Gemini flaw that could let attackers manipulate the AI assistant through notifications from messaging apps including WhatsApp, Slack, Signal, SMS, Instagram and Messenger.
The technique used indirect prompt injections hidden in notifications, research published by SafeBreach Labs showed.
SafeBreach said Gemini’s Android notification-reading feature could treat hostile message text as useful context, allowing attackers to alter the assistant’s replies or steer later actions.
Google has since mitigated the issue, according to SafeBreach.
The research builds on SafeBreach’s earlier “Invitation Is All You Need” work, which showed how malicious Google Calendar invites could be used to manipulate Gemini.
After that disclosure, Google added protections against indirect prompt injections, but SafeBreach said its latest work found a new route through Android notifications.
SafeBreach said any app capable of sending a notification could potentially deliver the malicious payload. The risk was Android-specific because it relied on Gemini’s ability to read notifications on the device, The Hacker News reported.
The researchers said attackers could use the technique to fake messages from trusted contacts, generate phishing prompts, open URLs, trigger connected devices, launch external apps and start video streams through Zoom. They also demonstrated memory poisoning and recurring scheduled actions, which could persist beyond the original interaction.
SafeBreach described a bypass method called “Fake Context Alignment,” which manipulated what Gemini’s security checks saw while presenting a different context to the user.
In one version, instructions were hidden in a foreign-language prompt. In another, malicious authorization text was placed in a hyperlink that appeared on screen but was not read aloud.
That gap could cause Gemini to treat a user’s harmless “yes” as approval for an action the user did not intend to authorize, according to the researchers.
The demonstrations included opening smart-home devices, launching URLs and starting a Zoom video session.
SafeBreach said it reported the findings to Google’s Vulnerability Reward Program on 17 August 2025. Google acknowledged the vulnerabilities and, on 14 November 2025, confirmed that improvements to its content classifier mitigated the indirect prompt injection and delayed tool-invocation scenarios described in the research.
Google’s own guidance describes indirect prompt injection as a security risk in which malicious instructions hidden in external data can manipulate an AI system’s behavior without the user’s knowledge.
Google says its Gemini defenses include prompt-injection classifiers, suspicious-link redaction, security instructions and user confirmation for risky actions.
SafeBreach said the findings show how AI assistants become harder to secure as they gain access to messages, apps, memory and connected devices.
The company said vendors need stronger safeguards around how AI systems process trust, context and permissions across communication channels.
