Google has patched a flaw in Gemini on Android that let a poisoned notification from apps such as WhatsApp, Slack, SMS, Signal, Instagram or Messenger influence the voice assistant and potentially trigger actions such as opening connected windows, sending fake messages, joining Zoom calls or poisoning memory, according to a technical analysis by SafeBreach.
KEY FACTS
- Platform The issue affected Gemini’s Utilities feature on Android, which can read and reply to notifications.
- Attack surface Any app that can push a notification could carry a payload, which the researcher described as effectively infinite.
- Fix Google said content-classifier improvements mitigated notification injections and the bypass technique.
- Status SafeBreach reported the issue on Aug. 17, 2025, and said there was no evidence of in-the-wild abuse.
The report said the attack relied on Gemini treating hostile notification text as useful context. That could let an attacker rewrite what the assistant said aloud, including faking a message from a named contact, which could be risky in a hands-free setting.
SafeBreach said Google had already hardened Gemini against indirect prompt injection after earlier calendar-based abuse, but the new method found a way around those checks. The researcher called the bypass Fake Context Alignment and said it worked by making a malicious authorization prompt look legitimate to the assistant while presenting something harmless to the user.
In one variant, the assistant could show a question in a language the user might not understand, then follow with an English prompt that seemed routine. In another, the question could be hidden behind clickable text that Gemini would not read aloud, while the screen still displayed the sensitive request.
Beyond spoofed messages, the demo showed additional effects, including smart home control, opening URLs, forcing a Zoom app join flow, poisoning long-term memory and setting scheduled actions. Google confirmed on Nov. 14, 2025, that its server-side changes mitigated the notification injections and the delayed tool invocation bypass.
WHY IT MATTERS
The findings show how notification content can become an attack path when an assistant is allowed to read and act on messages. For users who do not want that exposure, the practical options are to disable Gemini’s notification-reading features or turn off the Android permission that lets the Google app read, reply to and control notifications.