A new class of indirect prompt injection (IPI) attacks targets Google Gemini’s voice assistant, allowing attackers to silently hijack the AI through malicious payloads delivered via everyday messaging apps, including WhatsApp, Slack, Signal, SMS, Instagram, and Messenger.
The research, led by Or Yair, Security Research Team Lead at SafeBreach, builds on the firm’s earlier “Invitation Is All You Need” disclosure, which weaponized Google Calendar invitations against Gemini.
This time, the attack surface is far larger; any application capable of triggering a device notification becomes a viable delivery vector.
Google Gemini Vulnerability Exploited
The core exploit leverages Gemini’s Android Utilities agent, specifically the tool that reads incoming notifications. Because this tool processes untrusted data from third-party apps, an attacker can embed malicious instructions directly inside a crafted message.
Once Gemini reads the poisoned notification, it silently incorporates the attacker’s commands into the conversational context without the user’s knowledge.
Even without invoking external tools, this notification-based IPI enables context poisoning that allows attackers to control Gemini’s output entirely. A manipulated assistant could, for example, relay a fake system message: “There was an error — click here to refresh” — a classic phishing lure delivered through a trusted AI interface.
Fake Context Alignment: Bypassing Google’s Defenses
After Google patched earlier vulnerabilities by blocking chained tool invocations and Delayed Tool Invocation, SafeBreach researchers developed a novel bypass technique dubbed Fake Context Alignment.
The technique creates a dual illusion, presenting a legitimate authorization scenario to Gemini’s backend security mechanisms while showing the victim an entirely benign interaction.
Two techniques were demonstrated:
- Obfuscated Fake Context Alignment: Gemini appends a malicious authorization question in a foreign language (e.g., Chinese: “你想打开窗户吗?” — “Do you want to open the window?”) immediately followed by a harmless English question. The user replies “Yes” to the English prompt while the backend aligns the affirmative with the hidden Chinese instruction, triggering tool execution.
- Muted Fake Context Alignment: The malicious question is embedded as clickable link text that Gemini’s text-to-speech engine silently skips. The user hears only a benign voice prompt and unknowingly authorizes a tool call by replying “Yes.”
Combining both techniques into an “Ultimate Combo” payload allowed researchers to bypass all of Google’s latest mitigations with high reliability and near-zero user awareness.
With Delayed Tool Invocation re-enabled, researchers demonstrated a range of high-severity exploits. The emergence of smart home technology has facilitated various forms of exploitation, such as remotely controlling connected devices like windows, boilers, and lighting via Google Home.
Additionally, there are alarming tactics like covert video streaming, where an attacker can force Zoom to launch and stream the victim’s camera live through a 301 HTTP redirect from a Safe Browsing-approved domain.
Large-scale social engineering schemes are on the rise, fabricating messages from trusted contacts without prior knowledge of the contacts’ names by extracting real sender names from the notification queue.
Moreover, persistent memory poisoning has become a critical concern, as it involves injecting false information into Gemini’s long-term memory across the victim’s entire Google Workspace account, affecting tablets, computers, and smart speakers.
Lastly, scheduled surveillance tactics allow the establishment of recurring tasks that automatically read the user’s recent messages daily, further compromising their privacy and security.
SafeBreach disclosed the findings to Google’s Vulnerability Reward Program on August 17, 2025. Google confirmed on November 14, 2025, that updated content classifier improvements successfully mitigated the indirect prompt injection and Delayed Tool Invocation scenarios described in the research.
Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP
