Malicious WhatsApp, Slack Alerts Could Have Exposed Millions of Android Users
Malicious WhatsApp, Slack Alerts Could Have Exposed Millions of Android Users
A routine phone notification could have become an attack path for Google Gemini on Android, according to new research from SafeBreach.
The now-mitigated issue involved crafted alerts from WhatsApp, Slack, SMS, Signal, Instagram, and Messenger. SafeBreach said the alerts could influence how Gemini handled notification text, alter spoken responses, impersonate trusted contacts, trigger connected tools, and poison long-term memory.
Google addressed the issue with server-side content-classifier improvements. Researchers found no evidence of real-world exploitation.
Researchers found a notification-based prompt injection path
SafeBreach Labs said its researchers found the issue while testing Gemini’s Android Utilities feature, which can read and respond to phone notifications. The flaw affected how Gemini processed untrusted notification text from messaging and social apps.
The research was published on June 3 by Or Yair, security research team lead at SafeBreach. It followed the company’s earlier “Invitation Is All You Need” work, which showed how malicious Google Calendar invites could manipulate Gemini.
“The main purpose of Fake Context Alignment is to create a dual illusion: presenting a legitimate authorization scenario to Gemini’s behind-the-scenes security mechanisms, while presenting a completely different, benign scenario to the victim,” Yair wrote in the SafeBreach report.
The Hacker News reported that the attack did not require a malicious app on the victim’s phone. An attacker only needed to send a crafted notification that Gemini might later summarize or read aloud.
Fake Context Alignment bypassed newer guardrails
Google has already added protections after the earlier calendar-based research, but SafeBreach said Yair found a new bypass called Fake Context Alignment.
The technique created two versions of the same interaction. One looked like a legitimate consent to Gemini’s security checks. The other one sounded harmless to the user.
In one example, Gemini displayed or processed an authorized question in a foreign language while asking the user an unrelated English question aloud. If the user answered “yes,” Gemini could interpret it as approval of the hidden action.
According to Dark Reading, the technique could support social engineering, smart home control, unauthorized video streams, and long-term memory poisoning. Yair told Dark Reading, “We do need to treat all external input as not trusted because all external input is a potential instruction.”
Google says the issue has been fixed
SafeBreach noted that Google has already addressed the issue. The fix was made on Google’s side, so users do not need to install a specific Gemini app update to receive the mitigation.
SafeBreach further clarified that no CVE was listed for the issue and that there was no evidence the technique had been used in the wild.
On Android, users can limit exposure by disabling Gemini’s Utilities app in the Connected Apps settings or by turning off the Google app’s “Notification read, reply & control” permission. Those settings control whether Gemini can read and respond to notifications.
For organizations, the finding serves as a reminder that AI assistant permissions can have security implications beyond the assistant itself. Notification access, connected app permissions, and policies for AI tools on managed devices all affect how much outside content an assistant can process or act on.
See how attackers used a Meta AI support exploit to hijack the Obama White House Instagram account.
About Author
