If you're an Android user, you probably don't think twice when a routine notification pops up on your phone, especially if it looks like a normal text, Slack message or WhatsApp alert.
But new research suggests those everyday notifications can create a far stranger security risk than a suspicious link. In some cases, the message does not need to be opened, tapped or downloaded to become dangerous. It only needs to be processed by Gemini.
That is the concern raised by cybersecurity firm SafeBreach Labs, which uncovered a notification-based prompt injection vulnerability affecting Google Gemini on Android.
According to the researchers, attackers could send hidden instructions through ordinary messaging notifications, allowing Gemini’s voice assistant to silently absorb malicious commands as part of its conversation context.
SafeBreach says the technique could be used to manipulate Gemini’s responses, fake messages from trusted contacts, trigger connected tools, control smart home devices or even poison Gemini’s long-term memory. The company also says Google has since rolled out content classifier updates designed to mitigate the vulnerability.
How the attack works
The vulnerability relies on a threat category known as Indirect Prompt Injection. This happens when an attacker hides malicious commands inside content they know an AI is going to read, rather than typing the command directly into the AI prompt window.
Because Google Gemini’s Android assistant is designed to scan incoming notifications to provide helpful, context-aware responses, it automatically reads incoming alerts.
Google already utilizes advanced machine learning filters to stop Gemini from following instructions embedded in external text. However, SafeBreach found that by carefully structuring the hidden text — sometimes burying it in foreign languages or invisible, muted hyperlinks — they could trick Gemini into thinking the malicious instruction was actually a legitimate part of the user’s ongoing conversation history.
By aligning the attack to look like safe context, the payload slipped past Google's defenses entirely.
What hackers could do
Once Gemini ingested the poisoned notification, the researchers found they could force the AI assistant into executing an alarming array of unauthorized tasks without giving the user any visual or audio alerts. SafeBreach demonstrated several high-risk attack scenarios:
- Physical domain control: Forcing Gemini to interact with Google Home utilities to adjust smart appliances, turn on boilers, or unlock connected windows.
- Silent surveillance: Command Gemini to instantly force the phone into an active Zoom video call, effectively turning the device into a remote spy camera.
- Memory poisoning: Permanently corrupting Gemini's "Saved Info" (its long-term memory), ensuring that the malicious instructions would persist across completely different chat sessions days later.
- Blind impersonation and phishing: Instructing Gemini to look at the notification history, grab the name of the first authentic sender it sees (like a manager or a spouse), and deliver a fake, localized message supposedly from them.
- The voice assistant trap: This exploit specifically targeted Gemini's voice assistant capabilities. Because voice tools are designed to mimic a natural flow, Gemini automatically opens the device's microphone after speaking to wait for a reply. SafeBreach used a trick called Delayed Tool Invocation, instructing the poisoned AI to sit quietly and wait until the user said a benign word like "Thanks" hours later to execute the attack.
The good news is it's already patched
If you are reading this and panicking about your phone, you can breathe a sigh of relief. SafeBreach followed responsible disclosure protocols, privately reporting the "Fake Context Alignment" vulnerability to Google.
Google has since deployed a server-side patch, upgrading its content classifiers to block this specific form of context manipulation. SafeBreach reports that there is no evidence this technique was ever used by actual threat actors in the wild.
The underlying problem isn't going away
This isn't a traditional coding bug in WhatsApp or Signal; it’s an architectural challenge inherent to how advanced, agentic AI systems work.
As tech companies race to give AI assistants more power — letting them read our emails, monitor our screens, manage our schedules and control our operating systems — the potential "blast radius" of a prompt injection grows exponentially. If an AI treats untrusted external data as safe context, it will remain a prime target for hackers.
To protect your device against future, undiscovered notification-based exploits, practicing good permission hygiene is your best defense. Start by auditing Gemini permissions. Go to your Android settings, locate Gemini's app permissions, and consider disabling its access to system notifications unless you absolutely need it. You'll also want to toggle off connections to utilities or workspace apps you don't actively use.
In general, pay attention to any unusual AI behavior. If Gemini suddenly prompts you, asks odd clarifying questions, responds in a way that feels disconnected from what you asked or opens tools you did not request, close the assistant window immediately.
As always, Tom’s Guide will continue tracking the latest AI security news, vulnerabilities and breaches to help you understand the risks and stay safe.
