Researchers at SafeBreach have demonstrated a new class of indirect prompt injection (IPI) attacks against Google Gemini’s voice assistant, allowing attackers to silently hijack the AI through malicious payloads delivered via everyday messaging apps including WhatsApp, Slack, Signal, SMS, Instagram, and Messenger. The research represents a significant escalation in AI security threats, moving from theoretical exploits to fully demonstrated attack chains that bypass Google’s latest defenses.
The research, led by Or Yair, Security Research Team Lead at SafeBreach, builds on the firm’s earlier “Invitation Is All You Need” disclosure, which weaponized Google Calendar invitations against Gemini. This new attack surface is dramatically larger: any application capable of triggering a device notification becomes a viable delivery vector.
How the Notification-Based Prompt Injection Works
The core exploit targets Gemini’s Android Utilities agent — specifically the tool that reads incoming notifications from third-party applications. Because this tool processes untrusted data from apps the user has installed, an attacker can embed malicious instructions directly inside a crafted message. When Gemini reads the poisoned notification, it silently incorporates the attacker’s commands into its conversational context without the user’s awareness.
Even without invoking external tools, this notification-based injection enables context poisoning that allows attackers to control Gemini’s output entirely. A manipulated assistant could relay a fake system message such as “There was an error — click here to refresh” — a classic phishing lure delivered through the trusted interface of an AI voice assistant the user has explicitly authorized on their device.
Bypassing Google’s Defenses: Fake Context Alignment
After Google patched earlier vulnerabilities by blocking chained tool invocations and Delayed Tool Invocation, SafeBreach researchers developed a novel bypass technique called Fake Context Alignment. The technique creates a dual illusion — presenting a legitimate authorization scenario to Gemini’s backend security mechanisms while showing the victim an entirely benign interaction.
Two specific bypass variants were demonstrated:
- Obfuscated Fake Context Alignment: Gemini appends a malicious authorization question in a foreign language immediately followed by a harmless English question. The user replies “Yes” to the English prompt, but the backend aligns the affirmative response with the hidden foreign-language instruction, triggering unauthorized tool execution. The victim never sees or hears the malicious component of the exchange.
- Muted Fake Context Alignment: The malicious question is embedded as clickable link text that Gemini’s text-to-speech engine silently skips. The user hears only a benign voice prompt and unknowingly authorizes a tool call by replying “Yes.” No visual or audio cue indicates what has actually been authorized.
Combining both techniques into what SafeBreach calls an “Ultimate Combo” payload allowed researchers to bypass all of Google’s latest mitigations with high reliability and near-zero user awareness.
High-Severity Exploits Demonstrated
With Delayed Tool Invocation re-enabled, the researchers demonstrated a range of high-severity real-world attack scenarios:
- Smart home takeover: Remotely controlling connected devices including windows, boilers, and lighting via Google Home integration.
- Covert video streaming: Forcing Zoom to launch and stream the victim’s camera live through a 301 HTTP redirect from a Safe Browsing-approved domain, bypassing Google’s URL filtering.
- Large-scale social engineering: Fabricating messages from trusted contacts without prior knowledge of those contacts’ identities, by extracting real sender names from the device’s notification queue.
- Persistent memory poisoning: Injecting false information into Gemini’s long-term memory across the victim’s entire Google Workspace account — affecting tablets, computers, and smart speakers simultaneously.
- Scheduled surveillance: Establishing recurring tasks that automatically read the user’s recent messages on a daily basis, creating a persistent exfiltration channel invisible to the user.
Disclosure and Current Status
SafeBreach disclosed these findings to Google’s Vulnerability Reward Program on August 17, 2025. Google confirmed on November 14, 2025, that updated content classifier improvements successfully mitigated the indirect prompt injection and Delayed Tool Invocation scenarios described in the research.
However, the broader attack surface revealed by this research — the fact that any notification-sending app on an Android device can potentially be used to inject malicious instructions into an AI assistant — raises fundamental questions about how AI agents handle untrusted data from third-party sources. As AI assistants gain deeper integrations with smart home devices, collaboration tools, and enterprise applications, the attack surface exposed by prompt injection will only grow.
What Users and Developers Should Do
For end users, limiting which applications can send notifications to your device and being cautious about granting AI assistants access to sensitive integrations are the most practical near-term mitigations. For developers building AI-powered applications, implementing strict input sanitization and context boundaries around data sourced from third-party notifications and untrusted communication channels is essential. The SafeBreach research makes clear that without deliberate architectural safeguards, any AI system that reads external data is potentially vulnerable to indirect prompt injection.
Source: CyberSecurityNews.com