A single poisoned notification could have hijacked Google Gemini’s voice assistant on Android. The malicious message could come from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger. Once triggered, it could open a victim’s connected windows, fake a message from their boss, force the phone into a Zoom call, or quietly poison Gemini’s long-term memory.
Crucially, the attack required no malicious app on the phone. The assistant simply had to treat a hostile notification as useful context. SafeBreach researcher Or Yair published the findings, building on the team’s earlier “Invitation Is All You Need” work that used malicious Google Calendar invites.
Google has since patched the issue. SafeBreach lists no CVE, and there is no evidence the technique was ever used in the wild.
How the Attack Worked
On Android, Gemini’s Utilities feature can read and reply to notifications, including ones from apps like WhatsApp. The feature is not available on iOS or the web, which keeps the attack Android-only. Yair found that the agent reading those notifications treats their text as instructions it can act on. As a result, anything that pushes a notification to a phone could deliver a payload. Yair called this an effectively infinite attack surface.
At minimum, an attacker could rewrite what Gemini says, including faking a message from a named contact. Spoken aloud while driving, “your manager asked you to upload the docs to this Drive folder” is hard to question. A blind version was worse. The payload fired after Gemini loaded real notifications, so it could grab the first real sender name and pin the fake message on them. That required no reconnaissance and scaled easily.
Bypassing Google’s Defenses
Firing real tools, like opening apps, is what Google’s earlier mitigations were built to stop. Those checks weighed both the user’s reply and Gemini’s last output before authorizing a sensitive action. Injecting a delayed instruction out of nowhere caused Gemini to refuse every time.
So Yair built a bypass called Fake Context Alignment. It ran two illusions at once. In the obfuscated version, Gemini asked the real authorization question in a language the victim did not speak, like Chinese, then followed in English with something harmless. The user dismissed the foreign phrase and said “Yes,” which the system tied to the hidden question. In the muted version, Gemini’s text-to-speech skipped hyperlinks, burying the malicious question in a link it never read aloud. Combining both tricks cleared Google’s newest checks while sounding like a normal exchange.
What Attackers Could Do
Past the authorization gate, the impacts were severe. Attackers could control smart homes through Google Home, including windows, boilers, and lights. They could track victims by IP or push file downloads. In one demo, Yair made Gemini follow a redirect into a Zoom link, forcing the phone to join a meeting and stream video.
Most concerning was memory poisoning, which the earlier calendar attack never achieved. Fake Context Alignment simulated consent, so Gemini permanently saved an attacker-chosen fact. Because that memory is account-level, the poisoned data followed the victim across every device using Gemini on that account. Attackers could also set persistent scheduled tasks, like reading a victim’s messages daily at 8 PM.
The Fix
SafeBreach reported the findings to Google’s Vulnerability Reward Program on August 17, 2025. Google treated it as high priority and confirmed on November 14, 2025, that classifier improvements mitigated the attacks. Because the fix is server-side, there is no app update to install.
According to Google:
Google acknowledges the research “Invitation Is All You Need” by Ben Nassi, Stav Cohen, and Or Yair, responsibly disclosed via our AI Vulnerability Rewards Program (VRP). The paper detailed theoretical indirect prompt injection techniques affecting LLM-powered assistants and was shared with Google in the spirit of improving user security and safety.
Users who want extra control can disconnect the Utilities app in Gemini’s Connected Apps settings. Alternatively, they can turn off the Google app’s “Notification read, reply and control” permission on Android. For Pakistani users, who rely heavily on WhatsApp and Android devices, the research is a reminder that AI assistants introduce new and unexpected attack surfaces.
