By rssfeeds-admin A critical new class of vulnerabilities in Google Gemini that allows attackers to hijack the AI assistant through indirect prompt injections (IPI) delivered via everyday messaging notifications, including WhatsApp, Slack, Signal, SMS, Instagram, and Messenger.
The research, led by Or Yair, Security Research Team Lead at SafeBreach, builds on the firm’s earlier “Invitation Is All You Need” findings, which weaponized Google Calendar invitations against Gemini.
The core vulnerability exploits Gemini’s Android Utilities agent, which reads incoming notifications without adequately sanitizing untrusted input.
By crafting a malicious payload inside a standard messaging notification, an attacker can silently inject instructions into the victim’s Gemini conversation context without the victim ever knowing.
Google Gemini Vulnerability Exploited
Google had previously patched earlier techniques by blocking Delayed Tool Invocation, a method that instructs an AI to execute a malicious action only after a future benign user prompt.
Fake Context Alignment works by creating a dual illusion, presenting a legitimate authorization scenario to Gemini’s security backend while showing the victim something completely harmless, SafeBreach said.
Researchers demonstrated two specific techniques:
- Obfuscated Fake Context Alignment: Gemini is forced to append a malicious authorization question in a foreign language (e.g., Chinese) immediately before an innocent English question. The victim hears only the English prompt, answers “Yes,” and unknowingly authorizes the tool to execute against the backend security check that processed the Chinese query.
- Muted Fake Context Alignment: Exploiting a Gemini text-to-speech quirk where hyperlink anchor text is not vocalized, attackers embed a malicious question inside a silent clickable link. The victim hears a benign prompt, replies “Yes,” and the backend authorizes the tool call based on the muted on-screen text.
Combining both techniques into an “Ultimate Combo” produced the most reliable and stealthy exploit variant of the chain.
With Fake Context Alignment successfully bypassing Gemini’s newest mitigations, researchers demonstrated severe real-world exploitation scenarios.
Attackers could remotely trigger Google Home to control physical smart home devices, including connected windows, boilers, and lights.
They could also force the victim’s device to silently launch Zoom and stream live video by routing a request through a Safe Browsing-approved domain configured to serve a 301 HTTP redirect to a Zoom App Intent URI.
Particularly alarming was the social engineering capability: Gemini could be manipulated into faking messages from trusted contacts without any prior knowledge of the contact’s name, enabling mass-targeted phishing at scale.
Researchers also demonstrated long-term memory poisoning by writing persistent false data into Gemini’s account-level memory, which propagates across all devices, phones, tablets, computers, and smart speakers linked to the victim’s Google Workspace account.
Scheduled surveillance was also achievable, with Fake Context Alignment successfully establishing a recurring task that automatically reads the victim’s recent messages every day at a specified time.
SafeBreach reported these findings to Google’s Vulnerability Reward Program on August 17, 2025.
Google treated the report as a high priority and confirmed on November 14, 2025, that content classifier improvements successfully mitigated the notification-based indirect prompt injections and the Delayed Tool Invocation bypass.
Because the fix is server-side, no application update is required. Users who want to reduce residual exposure can disconnect the Utilities app in Gemini’s Connected Apps settings or revoke the Google app’s “Notification read, reply & control” permission on Android.
This research exposes a fundamental design flaw in LLM-powered voice assistants. As long as a single model simultaneously processes backend security logic and user-facing output, an attacker only needs to appear legitimate enough to slip past the guardrails.
Notification-based IPI attacks demonstrate that indirect prompt injections can be reliably executed through highly trusted, everyday communication channels, and vendors must rethink cross-channel permission models and trust boundaries before deploying agentic AI at scale.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post New Gemini Flaw Exploited Through WhatsApp, Slack, and SMS Prompts appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.