Full Report
A single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could have hijacked Google Gemini's voice assistant on Android and made it open a victim's connected windows, fake a message from their boss, push the phone into a Zoom call, or quietly poison its long-term memory. No malicious app on the phone is required. The assistant just had to treat a hostile
Analysis Summary
# Vulnerability: Indirect Prompt Injection via Android Notifications (Fake Context Alignment)
## CVE Details
- **CVE ID:** None assigned (Reported via Google VRP)
- **CVSS Score:** N/A (Google treated it as a **High Priority** issue)
- **CWE:** CWE-506: Embedded Malicious Code (Indirect Prompt Injection) / CWE-1039: Automated Recognition Issues
## Affected Systems
- **Products:** Google Gemini Assistant
- **Versions:** Android version of the app (specifically the "Utilities" feature) prior to the late 2025 patch.
- **Configurations:** Gemini must have permission to read and reply to notifications (WhatsApp, Slack, SMS, Signal, Instagram, Messenger, etc.).
- **Note:** iOS and Web versions are NOT affected.
## Vulnerability Description
The flaw is an **Indirect Prompt Injection** vulnerability. Google Gemini’s "Utilities" feature processes the text of incoming notifications to provide context for user interactions. An attacker can send a specially crafted notification (e.g., via WhatsApp) containing hidden instructions that the LLM interprets as commands.
To bypass security mitigations that require user authorization for sensitive actions, the researcher developed a technique called **Fake Context Alignment**. This exploit tricks the backend security check by providing a "Yes" confirmation that the system associates with a malicious command (hidden in a foreign language or within muted hyperlink tags) while the human user believes they are responding to a simple English greeting or error message.
## Exploitation
- **Status:** PoC available (Developed by SafeBreach); no evidence of exploitation in the wild.
- **Complexity:** Medium (Requires crafting specific payloads that bypass "Context Alignment" checks).
- **Attack Vector:** Network (Remote via messaging apps/SMS). No malicious app on the device is required.
## Impact
- **Confidentiality:** High (Can be used to exfiltrate data, geolocate the user via IP, or read private notifications).
- **Integrity:** High (Can "poison" long-term memory, change contact names, or send fake messages).
- **Availability:** Low (Primarily focused on hijacking control and data).
- **Physical/Real-world:** High (Ability to control smart home devices like windows, boilers, and lights).
## Remediation
### Patches
- **Google Update:** Google has patched this vulnerability server-side and via app updates following the report on August 17, 2025. Users should ensure their Google Gemini and Google app versions are up to date.
### Workarounds
- **Disable Notification Access:** Revoke Gemini’s permission to read notifications in Android settings.
- **Disable Utilities:** Turn off the "Utilities" extension within Gemini settings to prevent it from interacting with other apps.
## Detection
- **Indicators of Compromise:**
- Gemini responding in unexpected languages (e.g., Chinese) unexpectedly.
- Gemini asking "Are you there?" or "Is that all you need?" immediately after a strange notification arrives.
- Unexpected smart home activations or unauthorized app launches (e.g., Zoom).
- **Detection Methods:** Monitor for unusual account-level changes in Gemini’s "Memory" settings (e.g., incorrect personal details or saved preferences not set by the user).
## References
- **SafeBreach Original Research:** hxxps[://]www[.]safebreach[.]com/blog/gemini-voice-assistant-prompt-injection-exploit/
- **Google Security Blog:** hxxps[://]blog[.]google/security/mitigating-prompt-injection-attacks/
- **Gemini Utilities Support:** hxxps[://]support[.]google[.]com/gemini/answer/15235441