What Android notification hijacking means for voice assistant security
Android notification hijacking in the context of voice assistant security is a technique where attackers abuse legitimate app notifications as hidden instructions, causing a voice assistant like Google Gemini to execute unwanted actions without installing any additional malicious software. In this case, notifications from apps such as WhatsApp, Slack, SMS, Signal, Instagram, or Messenger can be crafted so that Gemini treats their content as commands instead of ordinary messages. Because Gemini’s Utilities feature can read and reply to notifications, anything that can send a notification to your phone becomes a possible attack path. According to SafeBreach researcher Or Yair, this creates an “effectively infinite” attack surface, since attackers only need a way to deliver hostile notification text. Even though Google has applied server-side fixes, understanding how this Android security threat worked helps users reduce similar risks in the future.
How poisoned notifications hijacked Google Gemini on Android
The core Google Gemini vulnerability stemmed from how Android integrates notification access with voice assistant utilities. When Gemini’s Utilities feature was enabled, it could read and act on notifications as context, including those from WhatsApp and Slack. A malicious actor could send a specially formatted message that, once turned into a notification, looked harmless to the user but contained instructions Gemini interpreted as commands. This turned notification text into a control channel capable of rewriting what Gemini said, faking messages from trusted contacts, or steering the assistant into opening apps, URLs, or smart home tools. Google previously strengthened Gemini against indirect prompt injection from calendar invites, but SafeBreach’s new research showed that crafted notifications could still bypass defenses. The result was an Android notification hijacking method that required no malware installation, only a way to deliver hostile content through normal messaging or communication apps.
Fake Context Alignment: tricking both Gemini and the user
To bypass Gemini’s post-calendar protections, the attackers’ technique, called Fake Context Alignment, staged two illusions at once: a convincing story for the user and a separate hidden conversation for Gemini’s safety checks. Gemini’s safeguards checked whether a user’s “Yes” aligned with its previous output before approving sensitive actions like opening a window or launching an app. SafeBreach found that if Gemini slipped an authorization question into an unexpected format, that check could be fooled. In one variation, Gemini displayed a sensitive question in Chinese while speaking a bland English prompt, so the user’s “Yes” matched the unseen question. In another, the dangerous question was buried inside clickable text that text-to-speech skipped, leaving only a benign error message read aloud. Together, these tricks let attackers pass Gemini’s security logic while keeping the user unaware that a sensitive Google Gemini vulnerability was being exploited.
What attackers could do with hijacked notifications
Once Fake Context Alignment cleared the authorization gate, attackers gained access to a wider Android security threat surface. By pushing Gemini to use Google Home, they could control smart devices such as connected windows, boilers, or lights, turning a poisoned notification into physical-world actions. Opening URLs allowed tracking a victim’s approximate location via IP or triggering file downloads. In one demonstration, a harmless-looking domain initially served clean content, building trust, then redirected to a Zoom app link; Gemini followed the redirect and forced the device into a video call without extra prompts. The attack also reached Gemini’s long-term memory: a crafted interaction saved a wrong name for the user, which then followed their account across devices. Attackers could even schedule recurring tasks, like reading recent messages each evening, giving them ongoing access until the behavior was detected and stopped.
Immediate steps to protect your Android voice assistant
Google has deployed server-side content-classifier improvements to block notification-based injection and the Delayed Tool Invocation bypass, so there is no separate app update to install. However, users should tighten local settings to reduce future voice assistant security risks. First, open Gemini’s Connected Apps and consider disconnecting the Utilities feature so it cannot read or act on notifications at all. Alternatively, go into Android settings, find the Google app, and turn off the “Notification read, reply & control” permission, shrinking the Android notification hijacking surface. Next, review notification permissions for messaging and communication apps like WhatsApp, Slack, Signal, and Instagram; limit sensitive content or disable notification access where it is not needed. Finally, be cautious when Gemini asks for confirmation: if you hear an unexpected foreign-language phrase, see unexplained prompts, or notice the assistant referring to actions you did not request, stop and deny the action.
