Researchers say attackers could have manipulated Google’s Gemini voice assistant through ordinary message notifications from apps such as WhatsApp, Slack, and SMS. SafeBreach calls the technique “Fake Context Alignment”: hidden instructions embedded in notification content were silently pulled into Gemini’s context when users asked it to read messages aloud, potentially enabling actions such as controlling Google Home devices, starting Zoom calls, sending deceptive messages, and poisoning long-term memory. Google was notified in August 2025 and patched the issue in November 2025 with content-classifier changes.
Why it matters: This matters because it shows how everyday messages could be turned into a hands-free attack path against AI assistants that are connected to calls, messages, and smart-home controls. Users and organizations relying on Gemini should make sure current protections are in place and treat unsolicited messages as a potential trigger for AI-assisted actions.
Eduard Kovacs
2026.06.04
100% relevant
This article establishes a distinct security story about a notification-based indirect prompt injection flaw in Google Gemini, separate from existing tracked stories about ChatGPT prompt injection, Gemini API key exposure, or other AI model security issues.
← Back to all stories