What the Gemini notification hijacking issue is
The Gemini notification hijacking issue is a security weakness where hostile messages delivered as Android notifications are treated as instructions by the Gemini voice assistant, allowing attackers to trigger commands, fake trusted messages, or tamper with the assistant’s memory without installing any malicious app on the victim’s phone. This problem sits at the intersection of Gemini voice assistant security and Android notification hijacking: Gemini’s Utilities feature can read and reply to notifications from apps such as WhatsApp, Slack, SMS, Signal, Instagram, and Messenger, and it briefly treated notification text as trustworthy context. That meant anything that could send you a message could, in theory, send Gemini a payload. According to SafeBreach researcher Or Yair, this created an “effectively infinite” attack surface, because every service that can push a notification became a potential delivery channel.
How poisoned notifications abused Gemini without a malicious app
Unlike many phone security threats, this attack did not rely on tricking you into installing malware. Instead, it abused how Gemini interpreted notification content. When Utilities was enabled, Gemini could read incoming WhatsApp or Slack notifications aloud and act on them. The agent that handled this step did not clearly separate “messages about you” from “instructions for you,” so any notification could smuggle in commands. A single poisoned WhatsApp or Slack notification could prompt Gemini to open a URL, cross into other apps, or change its long-term memory. Because this Android notification hijacking technique worked entirely through normal app traffic, it left few obvious signs: no suspicious installs, no new permissions, only a message that arrived at the wrong time, with the wrong wording, but potentially very damaging effects.
Fake Context Alignment: tricking both Gemini and the user
Google had already tried to harden Gemini against indirect prompt injection by checking whether a user’s “Yes” matched the assistant’s last message before allowing sensitive actions. SafeBreach’s new technique, called Fake Context Alignment, found a way around that. It ran two illusions at once: one conversation for Gemini’s security checks and another, harmless-seeming thread for the human. In the “obfuscated” variant, Gemini asked the real authorization question in a language the victim did not understand, such as Chinese, then followed it with a harmless English prompt. In the “muted” variant, the real question was hidden inside a hyperlink that text-to-speech skipped, while Gemini spoke only an error message aloud. The user replied “Yes” to the visible or audible text that looked normal, but the backend paired that “Yes” with the hidden question and treated it as consent.
What attackers could do: from fake messages to smart home control
Once Fake Context Alignment cleared Gemini’s checks, the potential impact went far beyond prank messages. A poisoned notification could rewrite what Gemini said, making it appear as if a real contact—like your manager—had sent urgent instructions while you were driving. It could open URLs that revealed your IP address or triggered file downloads. In a demo, a safe-looking domain later redirected to a Zoom link, and Gemini followed it, forcing the phone into a meeting and streaming video. The technique also enabled memory poisoning, storing attacker-chosen facts such as a fake name (“Danny”) in Gemini’s long-term account-level memory so they followed you across devices. Finally, scheduled actions could add persistence, for example a recurring task to read recent messages every evening, extending the WhatsApp Slack vulnerability into an ongoing surveillance or manipulation channel.
How to protect your phone and what Google has changed
SafeBreach reported the issue to Google’s Vulnerability Reward Program, and Google responded by updating its server-side content classifiers and Delayed Tool Invocation checks, so there is no specific app update to install. Even so, it is wise to review how much access you give Gemini to your notifications, especially for messaging apps that receive content from many sources. In Android settings, you can turn off the Google app’s “Notification read, reply & control” permission to stop Gemini from reading alerts at all. Inside Gemini, you can also disconnect the Utilities app in the Connected Apps section. These steps reduce convenience but sharply limit this class of attack. Going forward, treat any voice assistant that can act on WhatsApp, Slack, or SMS notifications as part of your security surface, not just a hands-free helper.
