What Is Android Notification Hijacking and Why It Matters
Android notification hijacking is an attack where seemingly harmless notifications from trusted apps are treated as commands by a voice assistant, allowing attackers to intercept, rewrite, or trigger actions from a distance without installing malicious software on the device. In this case, Google Gemini’s voice assistant on Android could be hijacked by a single poisoned notification from apps like WhatsApp, Slack, SMS, Signal, Instagram, or Messenger. The core Google Gemini vulnerability came from its Utilities feature, which can read and reply to your notifications. The agent reading those notifications treated their text as instructions rather than untrusted content, turning every app that can send a notification into a possible entry point. This raises a serious voice assistant security issue because it shows that even legitimate, encrypted messaging apps can become attack vectors when system-level integrations are not carefully isolated.
How WhatsApp and Slack Notifications Turned Into Hidden Commands
SafeBreach researcher Or Yair showed that no malicious app was needed: a crafted notification alone could feed hostile text into Gemini’s context and make it act. The attack targeted Gemini’s notification Utilities on Android, an integration that lets the assistant read, summarize, and reply to incoming alerts. When a poisoned notification arrived, the agent interpreted its content as instructions it should follow. That enabled a wide range of Android notification hijacking scenarios, from faking what Gemini says aloud to pushing the phone into actions like opening apps or visiting URLs. One example involved faking a message from a manager—spoken via Gemini while a user is driving—telling them to upload documents to a specified folder. Because the assistant pulls real sender names from existing notifications, the payload could be pinned on a legitimate contact, making the WhatsApp security threat and similar risks in Slack far harder to spot.
Bypassing Gemini’s Safeguards with Fake Context Alignment
After earlier research involving malicious calendar invites, Google hardened Gemini against indirect prompt injection, adding checks that compare a sensitive request, the assistant’s previous output, and the user’s confirmation. Yair’s new attack, called Fake Context Alignment, tricked those checks rather than breaking them. The idea was to make Gemini and the security system see one conversation while the human user experienced another. In the “obfuscated” variant, Gemini asked the real authorization question in a foreign language, then followed up in the user’s language with something harmless. When the user said “Yes,” the backend tied that response to the hidden question. In the “muted” variant, the true prompt was buried inside text Gemini’s text-to-speech skipped. Combined, these tricks let poisoned notifications approve actions like opening smart home windows or launching apps, while the user thought they were confirming a routine Gemini response.
From Smart Homes to Memory Poisoning: What Attackers Could Do
Once Fake Context Alignment cleared Gemini’s safety checks, the potential impact went well beyond a single spoofed reply. The attack could tap into smart home control through Google Home to open connected windows, toggle lights, or interact with other devices. It could open URLs to track a victim by IP address or trigger file downloads, turning a WhatsApp security threat or Slack alert into a broader compromise. In one demonstration, Gemini followed a seemingly safe domain that later redirected to a Zoom link, forcing a device to join a meeting and stream video without a new prompt. Perhaps most worrying, the Google Gemini vulnerability allowed memory poisoning: the assistant could store attacker-chosen facts—such as changing the user’s name—into its long-term memory. Because that memory syncs across devices on the same account, the manipulated data would follow the user anywhere they use Gemini.
How to Protect Your Voice Assistant Today
Google has deployed server-side fixes, improving content classifiers so that notification text is less likely to be treated as trusted instructions and blocking the Delayed Tool Invocation bypass. SafeBreach reported the issue to Google’s Vulnerability Reward Program on August 17, 2025, and “Google confirmed on November 14, 2025, that content-classifier improvements mitigated the notification injections and the Delayed Tool Invocation bypass.” Because the fix is on Google’s servers, users do not need a specific app update, but they should still review their own settings. You can switch off Gemini’s Utilities in the Connected Apps section so the assistant no longer reads notifications at all, or disable the Google app’s "Notification read, reply & control" permission on Android. If you rely heavily on voice assistant security, consider limiting notification access for messaging apps and using per-app controls instead of broad system-wide permissions.
