top of page
perceptive_background_267k.jpg

WhatsApp, Slack Notifications Could Hijack Google Gemini on Android

Published:

3 June 2026 at 19:11:15

Alert date:

3 June 2026 at 21:02:42

Source:

thehackernews.com

Click to open the original link from this advisory

Mobile & IoT, Email & Messaging, Emerging Technologies

A critical vulnerability in Google Gemini's voice assistant on Android allows attackers to hijack the assistant through poisoned notifications from popular messaging apps like WhatsApp, Slack, SMS, Signal, Instagram, or Messenger. The attack requires no malicious app installation and can force the assistant to open connected windows, fake messages from contacts, initiate unwanted Zoom calls, or poison the assistant's long-term memory. The vulnerability demonstrates how notification content can be weaponized to manipulate AI assistants and compromise user privacy and security.

Technical details

A prompt injection vulnerability in Google Gemini's voice assistant on Android allowed attackers to hijack the system through poisoned notifications from messaging apps. The attack exploited Gemini's Utilities feature that reads notifications, treating notification text as executable instructions. The technique called 'Fake Context Alignment' used two methods to bypass security checks: 1) Obfuscated - asking authorization questions in foreign languages while displaying innocuous English text, and 2) Muted - hiding malicious authorization prompts in hyperlinks that text-to-speech skips. The attack could fake messages, control smart home devices, force app launches, poison long-term memory, and create persistent scheduled actions. No malicious app installation was required, only the ability to send notifications to the target device.

Mitigation steps:

Google has implemented server-side fixes through content-classifier improvements that mitigate notification injections and the Delayed Tool Invocation bypass. No app update is required. Users can protect themselves by: 1) Disconnecting the Utilities app in Gemini's Connected Apps settings, or 2) Turning off the Google app's 'Notification read, reply & control' permission on Android to prevent Gemini from reading notifications entirely.

Affected products:

Google Gemini voice assistant on Android
WhatsApp
Slack
SMS
Signal
Instagram
Messenger
Google Home connected devices

Related links:

https://www.safebreach.com/blog/gemini-voice-assistant-prompt-injection-exploit/
https://thehackernews.com/2025/08/weekly-recap-nfc-fraud-curly-comrades-n.html#:~:text=Google%20Address%20Promptware%20Attack
https://blog.google/security/mitigating-prompt-injection-attacks/
https://support.google.com/gemini/answer/15235441

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page