Notification-Based Prompt Injection Gave Attackers Complete Control of Google Gemini on Android

Google Gemini's Android voice assistant could be completely hijacked through a single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger. The vulnerability allowed attackers to control smart home devices, fake messages from trusted contacts, force victims into Zoom calls, and persistently poison the AI's long-term memory—all without requiring any malicious app on the target device.

SafeBreach researcher Or Yair disclosed the vulnerability to Google's Vulnerability Reward Program on August 17, 2025. Google confirmed mitigation through server-side content-classifier improvements on November 14, 2025. No CVE was assigned, and no evidence exists of exploitation in the wild. The attack vector exploited Gemini's Utilities feature, which reads and replies to Android notifications—functionality not available on iOS or web versions.

Attack Vector: Treating Notifications as Instructions

The core vulnerability resided in how Gemini's notification-reading agent processed text. The agent treated notification content as actionable instructions rather than simple data to be displayed. Any application or service capable of pushing notifications to an Android device could deliver a payload, creating what Yair described as an "effectively infinite" attack surface.

At its simplest, attackers could rewrite Gemini's spoken output. A notification could inject instructions causing the assistant to claim "your manager asked you to upload the docs to this Drive folder" while the victim was driving and unable to verify the screen. More sophisticated attacks could grab the first real sender name from the notification queue and pin fabricated messages on legitimate contacts, making social engineering attacks nearly undetectable through audio alone.

Fake Context Alignment: Bypassing Google's Security Checks

This research followed SafeBreach's earlier "Invitation Is All You Need" work exploiting Google Calendar invites. After that disclosure, Google hardened Gemini against indirect prompt injection by implementing authorization checks: when a "Yes" authorizes a sensitive action, the system weighs both the user's reply and Gemini's last output to validate the authorization makes contextual sense. Direct injection attempts failed consistently against this defense.

Yair's bypass, named Fake Context Alignment, ran two simultaneous illusions—one for the security check, one for the human victim. The technique used two primary methods:

• Obfuscation: Gemini asked the real authorization question in a language the victim didn't speak (such as Chinese: "Do you want to open the window?"), then followed in English with something innocuous like "Is that all you needed?" The victim dismissed the foreign phrase as a glitch, said "Yes," and the backend tied that affirmation to the Chinese authorization.
• Muting: Gemini's text-to-speech engine skips hyperlinks hidden behind clickable text. The malicious authorization question was buried in a link the assistant never read aloud. Gemini said "I'm sorry, I had an error, are you there?" while the screen silently displayed "Do you want to open the window?" The driver said "Yes," the check saw the on-screen text, and the action executed.
• Combined approach: A Chinese authorization prompt hidden inside a muted link created a payload that sounded like normal English conversation while clearing Google's authorization gates.

Impact Scope: Smart Homes to Persistent Memory Poisoning

Once past authorization checks, attackers gained extensive control capabilities:

• Smart home control through Google Home integration: connected windows, boilers, lights, and other IoT devices became remotely accessible.
• Tracking and downloads: Opening attacker-controlled URLs enabled IP-based geolocation and forced file downloads to the device.
• Cross-app exploitation: Yair demonstrated setting a safe-looking domain to redirect to a Zoom app link. Gemini followed the redirect without prompting, forcing the phone to join a meeting and stream video. The attack worked because Gemini trusted the domain after it served clean content, then followed the subsequent redirect.
• Memory poisoning: The most persistent impact. Fake Context Alignment simulated consent, causing Gemini to save attacker-chosen facts permanently. In demonstrations, researchers stored a fake victim name. Because this memory operates at the account level, the poisoned data followed victims across all devices where they used Gemini with that account.
• Scheduled persistence: Attackers could create recurring tasks, such as reading the victim's recent messages daily at 8 PM, establishing ongoing surveillance without repeated exploitation.

Mitigation and Timeline

Google treated the disclosure as high priority. The 89-day window from August 17 disclosure to November 14 confirmation represents relatively rapid response for a complex AI security issue. Google's mitigation focused on content-classifier improvements to detect notification-based injections and block the Delayed Tool Invocation bypass technique.

Critically, the fix deployed server-side. No app updates are required, and users have no patch to install or verify. This approach enables rapid deployment but removes visibility into whether specific devices or accounts received protection. Organizations managing Android fleets cannot audit patch status through traditional mobile device management tools.

User Controls and Recommendations

The only user-accessible control is disabling Gemini's notification access entirely. Organizations can enforce this through two methods:

• Disconnect the Utilities app in Gemini's Connected Apps settings
• Disable the Google app's "Notification read, reply & control" permission in Android system settings

This represents an all-or-nothing choice. Gemini cannot selectively read notifications from trusted apps while blocking others. Organizations must weigh the productivity benefits of AI-assisted notification management against the risk that any notification source becomes an injection vector.

Broader Implications for AI Agent Security

This vulnerability exposes fundamental challenges in securing AI agents that bridge multiple data sources and execution contexts. Gemini's design treats user notifications, calendar invites, and direct commands as equivalent input streams. When an AI cannot reliably distinguish between user intent and external data, every input channel becomes a potential command injection vector.

The Fake Context Alignment technique demonstrates that authorization checks based on conversational context can be gamed through multilingual obfuscation and interface mismatches between visual and audio output. As AI assistants gain deeper system integration—controlling smart homes, accessing corporate tools, managing financial accounts—the attack surface expands proportionally. Each new capability increases the value of successful prompt injection.

Security teams should recognize that this vulnerability class extends beyond Google Gemini. Any AI agent that processes untrusted input while holding elevated permissions faces similar risks. The notification vector is particularly concerning because it requires no user interaction beyond normal device usage. Unlike phishing, which demands the victim click a link or open an attachment, notification-based injection executes when the AI assistant simply reads incoming messages as part of its designed workflow.

Organizations deploying AI assistants should inventory what data sources their agents access, what permissions they hold, and whether untrusted input can reach decision-making contexts. Server-side content filtering, as Google deployed, provides defense but cannot be verified by end users or administrators. Traditional security controls—application allowlisting, network segmentation, least privilege—apply imperfectly to AI agents that require broad access to function as designed.