New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS
Cybersecurity NewsArchived Jun 03, 2026✓ Full text saved
A new class of indirect prompt injection (IPI) attacks targets Google Gemini’s voice assistant, allowing attackers to silently hijack the AI through malicious payloads delivered via everyday messaging apps, including WhatsApp, Slack, Signal, SMS, Instagram, and Messenger. The research, led by Or Yair, Security Research Team Lead at SafeBreach, builds on the firm’s earlier “Invitation […] The post New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS appear
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS
By Guru Baran
June 3, 2026
A new class of indirect prompt injection (IPI) attacks targets Google Gemini’s voice assistant, allowing attackers to silently hijack the AI through malicious payloads delivered via everyday messaging apps, including WhatsApp, Slack, Signal, SMS, Instagram, and Messenger.
The research, led by Or Yair, Security Research Team Lead at SafeBreach, builds on the firm’s earlier “Invitation Is All You Need” disclosure, which weaponized Google Calendar invitations against Gemini.
This time, the attack surface is far larger; any application capable of triggering a device notification becomes a viable delivery vector.
Google Gemini Vulnerability Exploited
The core exploit leverages Gemini’s Android Utilities agent, specifically the tool that reads incoming notifications. Because this tool processes untrusted data from third-party apps, an attacker can embed malicious instructions directly inside a crafted message.
Once Gemini reads the poisoned notification, it silently incorporates the attacker’s commands into the conversational context without the user’s knowledge.
Even without invoking external tools, this notification-based IPI enables context poisoning that allows attackers to control Gemini’s output entirely. A manipulated assistant could, for example, relay a fake system message: “There was an error — click here to refresh” — a classic phishing lure delivered through a trusted AI interface.
Fake Context Alignment: Bypassing Google’s Defenses
After Google patched earlier vulnerabilities by blocking chained tool invocations and Delayed Tool Invocation, SafeBreach researchers developed a novel bypass technique dubbed Fake Context Alignment.
The technique creates a dual illusion, presenting a legitimate authorization scenario to Gemini’s backend security mechanisms while showing the victim an entirely benign interaction.
Two techniques were demonstrated:
Obfuscated Fake Context Alignment: Gemini appends a malicious authorization question in a foreign language (e.g., Chinese: “你想打开窗户吗?” — “Do you want to open the window?”) immediately followed by a harmless English question. The user replies “Yes” to the English prompt while the backend aligns the affirmative with the hidden Chinese instruction, triggering tool execution.
Muted Fake Context Alignment: The malicious question is embedded as clickable link text that Gemini’s text-to-speech engine silently skips. The user hears only a benign voice prompt and unknowingly authorizes a tool call by replying “Yes.”
Combining both techniques into an “Ultimate Combo” payload allowed researchers to bypass all of Google’s latest mitigations with high reliability and near-zero user awareness.
With Delayed Tool Invocation re-enabled, researchers demonstrated a range of high-severity exploits. The emergence of smart home technology has facilitated various forms of exploitation, such as remotely controlling connected devices like windows, boilers, and lighting via Google Home.
Additionally, there are alarming tactics like covert video streaming, where an attacker can force Zoom to launch and stream the victim’s camera live through a 301 HTTP redirect from a Safe Browsing-approved domain.
Large-scale social engineering schemes are on the rise, fabricating messages from trusted contacts without prior knowledge of the contacts’ names by extracting real sender names from the notification queue.
Moreover, persistent memory poisoning has become a critical concern, as it involves injecting false information into Gemini’s long-term memory across the victim’s entire Google Workspace account, affecting tablets, computers, and smart speakers.
Lastly, scheduled surveillance tactics allow the establishment of recurring tasks that automatically read the user’s recent messages daily, further compromising their privacy and security.
SafeBreach disclosed the findings to Google’s Vulnerability Reward Program on August 17, 2025. Google confirmed on November 14, 2025, that updated content classifier improvements successfully mitigated the indirect prompt injection and Delayed Tool Invocation scenarios described in the research.
Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Critical Plesk Vulnerability Let Users Execute Arbitrary Commands on the Server
Silent Ransom Group Targets Law Firms With IT Support Impersonation Attacks
Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild
Iranian Hackers Abuse AppDomainManager Hijacking to Evade EDR Detection
Top 10 Best Static Application Security Testing (SAST) Tools for Security Teams in 2026
Latest News
Cyber Security News
The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks
ANY.RUN
Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises
Cyber Security News
CISA and Partners Warns of Cyberattacks Targeting U.S.-based Automatic Tank Gauge Systems
AI
Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access
Cyber Security News
WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks