Overview
Security researcher Or Yair of SafeBreach disclosed a novel indirect prompt injection attack against Google Gemini on Android, demonstrating that a single malicious notification from apps including WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could cause the AI assistant to execute real device actions — such as opening windows, launching Zoom calls, faking messages from known contacts, or poisoning Gemini’s long-term memory. No malicious app installation is required; the attack surface exists wherever Gemini’s Utilities feature reads notification content.
Google has patched the vulnerability. No CVE has been assigned and no in-the-wild exploitation has been observed.
Technical Analysis
Gemini’s Android Utilities feature processes notification text as contextual input. Yair found that this input pipeline treats notification content as actionable instructions, meaning any party able to push a notification to a target device can deliver an injection payload — an attack surface Yair described as “effectively infinite.”
Google had previously hardened Gemini against indirect prompt injection following the team’s “Invitation Is All You Need” research (which exploited malicious Google Calendar invites). The updated defences introduced an authorization check: when a sensitive action requires a “Yes” from the user, the system evaluates both the user’s response and Gemini’s most recent output to determine contextual legitimacy. Injecting a sudden delayed instruction caused Gemini to refuse execution consistently.
Yair’s bypass, termed Fake Context Alignment, defeats this check by simultaneously constructing:
Obfuscation via language switching — Gemini poses the real authorization question in a language the victim is unlikely to understand (e.g., Chinese: “Do you want to open the window?”), followed by an innocuous English question (“Is that all you needed?”). The victim dismisses the foreign text as a glitch and says “Yes”; the backend binds that affirmative to the Chinese question.
Muted link burial — Gemini’s text-to-speech engine skips hyperlinks embedded behind clickable text. The malicious authorization question is hidden inside such a link, so the assistant speaks only “I’m sorry, I had an error, are you there?” while the screen silently displays “Do you want to open the window?” A hands-free “Yes” from the driver satisfies the authorization check against the on-screen text.
Combining both vectors — a foreign-language question hidden inside a muted hyperlink — produces a maximally stealthy payload.
The blind variant of the attack allows the payload to harvest real sender names from the notification queue after loading, enabling convincingly personalised social engineering (e.g., attributing a fake Drive upload request to the victim’s actual manager).
Framework Mapping
- AML.T0051 (LLM Prompt Injection): Core technique; notification content is treated as instruction by the agent pipeline.
- AML.T0043 (Craft Adversarial Data): Specially crafted notification text designed to bypass authorization controls.
- AML.T0047 (ML-Enabled Product or Service): Gemini’s agentic integration with device functions creates the exploitable capability.
- LLM01 (Prompt Injection) and LLM08 (Excessive Agency): The assistant takes real-world device actions based on injected instructions without verified user intent.
- LLM02 (Insecure Output Handling): Spoken and displayed output is manipulated to deceive the user into providing authorization.
Impact Assessment
The attack’s severity is amplified by its hands-free, eyes-off context: users relying on Gemini while driving are particularly vulnerable to audio-only deception. The memory poisoning vector implies persistent post-session compromise. The “effectively infinite” notification attack surface means defenders cannot enumerate or block all potential injection sources.
Mitigation & Recommendations
- Apply the Google patch immediately — update Gemini and Android system components.
- Disable Gemini Utilities notification access if the patch cannot be confirmed applied.
- Treat unexpected foreign-language output or error messages from Gemini as a potential injection signal.
- Avoid confirming Gemini actions verbally without reviewing the full screen when hands-free.
- Vendors: Implement strict separation between data-plane content (notification text) and instruction-plane processing in agentic pipelines; authorization checks must be grounded exclusively in verified user intent channels.