CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 04, 2026

WhatsApp, Slack Notifications Could Hijack Google Gemini on Android

The Hacker News Archived Jun 04, 2026 ✓ Full text saved

A single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could have hijacked Google Gemini's voice assistant on Android and made it open a victim's connected windows, fake a message from their boss, push the phone into a Zoom call, or quietly poison its long-term memory. No malicious app on the phone is required. The assistant just had to treat a hostile

Full text archived locally
✦ AI Summary · Claude Sonnet


    WhatsApp, Slack Notifications Could Hijack Google Gemini on Android Swati KhandelwalJun 03, 2026Vulnerability / Artificial Intelligence A single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could have hijacked Google Gemini's voice assistant on Android and made it open a victim's connected windows, fake a message from their boss, push the phone into a Zoom call, or quietly poison its long-term memory. No malicious app on the phone is required. The assistant just had to treat a hostile notification as useful context. The research, published by SafeBreach's Or Yair, follows the team's earlier "Invitation Is All You Need" work, which pulled off similar tricks through malicious Google Calendar invites. After that, Google hardened Gemini against indirect prompt injection. Yair found a way around the new defenses. Google has since patched it, SafeBreach lists no CVE for the issue, and there is no evidence that the technique was ever used in the wild. On Android, Gemini's Utilities feature can read and reply to your notifications, including ones from apps like WhatsApp. It isn't available on iOS or the web, which keeps this vector Android-only. Yair found the agent that reads those notifications treats their text as instructions it can act on. So anything that can push a notification to a phone can deliver a payload, an attack surface Yair called "effectively infinite." At minimum, that lets an attacker rewrite what Gemini says, including faking a message from a named contact. Spoken aloud while you drive and don't look at the screen, "your manager asked you to upload the docs to this Drive folder" is hard to second-guess. The blind version is worse: the payload fires after Gemini has loaded real notifications, so it can grab the first real sender name in the queue and pin the fake message on them. Faking output is one thing. Firing real tools, like opening a window or launching an app, is what Google's post-"Invitation" mitigations were built to stop. Yair's read, from black-box testing: when a "Yes" authorizes a sensitive action, a check weighs both the user's reply and Gemini's last output to decide whether that "Yes" makes sense. Inject a delayed instruction out of nowhere, and Gemini refused, every time. So the bypass, which Yair named Fake Context Alignment, runs two illusions at once: a legitimate-looking authorization for the security check, a harmless exchange for the human. Obfuscated. Gemini asks the real authorization question in a language the victim doesn't speak, say Chinese ("Do you want to open the window?"), then follows in English with something innocuous like "Is that all you needed?" The user shrugs off the foreign phrase as a glitch, says "Yes," and the backend ties that "Yes" to the Chinese question. Muted. Gemini's text-to-speech skips hyperlinks hidden behind clickable text. So the malicious question gets buried in a link the assistant never reads aloud. Gemini says, "I'm sorry, I had an error, are you there?" while the screen silently shows "Do you want to open the window?" The driver says "Yes," the check sees the on-screen text, and the windows open. Combine the two, a Chinese authorization prompt hidden inside a muted link, and you get a payload that sounds like a normal English exchange while clearing Google's newest checks. Past the authorization gate, the impacts matched the earlier research and then went further: Smart home control through Google Home: connected windows, boilers, and lights. Tracking and downloads. Opening URLs to geolocate a victim by IP or push file downloads. Crossing into other apps. In the demo, Yair set a safe-looking domain to redirect to a Zoom app link, and Gemini followed it without prompting, forcing the phone to join a meeting and stream video. By his account, it worked because Gemini trusted the domain after it had served clean content, then followed the later redirect. SafeBreach stresses its own domain never redirected to Zoom; the redirect ran on a local server on the test device. Memory poisoning, which the earlier calendar technique never managed. Fake Context Alignment simulates consent, so Gemini persistently saved an attacker-chosen fact. In the demo, it stored the victim's name as "Danny." Because that memory is account-level, the poisoned fact isn't stuck on the phone; it follows the victim wherever they use Gemini on that account. Persistence via scheduled actions, such as a recurring task to read the victim's recent messages every day at 8 PM. SafeBreach reported the findings to Google's Vulnerability Reward Program on August 17, 2025. Google treated it as a high priority and confirmed on November 14, 2025, that content-classifier improvements mitigated the notification injections and the Delayed Tool Invocation bypass. Because the fix is server-side, there is no app update to chase. The only control users have is whether Gemini reads notifications at all: disconnect the Utilities app in Gemini's Connected Apps settings, or turn off the Google app's "Notification read, reply & control" permission on Android. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Android, artificial intelligence, cybersecurity, Gemini, Google, Prompt Injection, SafeBreach, smart home, Voice Assistant, Vulnerability ⚡ Top Stories This Week AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Malicious npm Package Stole Files From Claude AI User Directory via GitHub Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More Load More ▼ ⭐ Featured Resources [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed) Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo)
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 04, 2026
    Archived
    Jun 04, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗