Security researchers have disclosed a now-patched vulnerability that could have allowed attackers to manipulate Google’s Gemini AI assistant on Android through malicious notifications sent from popular messaging apps such as WhatsApp, Slack, Signal, Instagram, and Messenger.
The issue raised concerns that a single crafted notification could potentially influence Gemini’s behavior—ranging from generating fake messages to triggering unwanted actions on a device—without requiring any malicious app installation.
How the Notification Attack Worked
The vulnerability, identified by researcher Or Yair of SafeBreach, demonstrated that Gemini’s Android “Utilities” feature could interpret notification content as actionable instructions.
This feature allows Gemini to read and respond to notifications from messaging apps. However, researchers found that in certain conditions, the assistant could treat notification text as trusted input, effectively enabling indirect prompt injection.
Because notifications can originate from virtually any app or service, researchers described the potential attack surface as “nearly limitless.”
Potential Real-World Abuse Scenarios
If exploited, the flaw could have enabled attackers to manipulate Gemini into:
- Sending or rewriting messages to impersonate trusted contacts
- Triggering app actions such as joining meetings or opening links
- Controlling connected smart home devices via Google integrations
- Exposing location data or initiating file downloads
- Influencing long-term “memory” stored by the assistant
Researchers also demonstrated scenarios where Gemini could be tricked into making phone actions appear to come from legitimate contacts, increasing the risk of social engineering attacks.
Advanced Bypass Techniques Discovered
After earlier security improvements by Google, the researcher identified a more sophisticated bypass technique dubbed “Fake Context Alignment.”
This method attempted to manipulate both the user and the AI system simultaneously by:
- Mixing real and misleading authorization prompts
- Obscuring malicious instructions inside hidden or non-obvious text
- Exploiting differences between what is displayed and what is processed by the AI
In some test scenarios, the assistant could be tricked into accepting user confirmation for actions the user did not fully understand, especially when prompts were disguised or partially hidden.
Broader Risks to AI Assistants
Security experts say the findings highlight a growing risk category known as prompt injection attacks, where AI systems can be influenced through external data sources such as notifications, documents, or calendar events.
The research builds on earlier work by SafeBreach showing similar vulnerabilities involving Google Calendar invitations, suggesting that AI assistants remain vulnerable when they rely heavily on external contextual inputs.
Google Responds With Fixes
The issue was reported to Google’s Vulnerability Reward Program in August 2025. According to researchers, Google later implemented server-side mitigations that improved content filtering and reduced the risk of notification-based injection attacks.
The company confirmed in November 2025 that updates to its content classifiers and tool invocation safeguards had addressed the vulnerability. No evidence has been found that the exploit was used in real-world attacks.
Because the fix was deployed server-side, users do not need to install updates. However, researchers recommend limiting Gemini’s access to notifications as a precaution.
Recommended Security Precautions
Experts advise Android users to reduce exposure by:
- Disabling notification access for Gemini’s connected utilities
- Turning off “notification read and reply” permissions in Google settings
- Reviewing connected apps that allow AI assistant control
These steps can significantly reduce the risk of indirect prompt injection via external apps.
Growing Attention on AI Security
As AI assistants become more deeply integrated into smartphones, researchers warn that attackers are increasingly targeting the “bridge layer” between apps and AI systems.
The incident underscores the importance of securing not just AI models themselves, but also the real-time data sources they rely on.
