Ethical Hacking News
Google's Gemini Voice Assistant Vulnerable to Poisoned Notifications on Android Devices
A critical vulnerability was discovered in Google's Gemini voice assistant that can be exploited using poisoned notifications.The vulnerability, known as "Fake Context Alignment," allows attackers to hijack Gemini's functionality without explicit user consent.The attack relies on exploiting a weakness in Gemini's prompt injection mechanism and can be achieved with a single poisoned notification.Malicious notifications can be used for various malicious goals, including smart home control, tracking and downloads, crossing into other apps, memory poisoning, and scheduled actions.Google has patched the vulnerability, but users must take precautions to protect themselves by disabling the Utilities app and turning off specific permissions.
In a groundbreaking study published by SafeBreach, researchers have discovered a critical vulnerability in Google's Gemini voice assistant that can be exploited using poisoned notifications. This security breach has far-reaching implications for Android device users, and it is essential to understand the details of this issue.
Gemini, formerly known as Google Assistant, is an artificial intelligence-powered virtual assistant designed to perform various tasks on Android devices. It uses a feature called "Utilities" that allows it to read and respond to notifications from various apps, including WhatsApp, Slack, SMS, Signal, Instagram, and Messenger. While this feature provides convenience, it also introduces a significant security risk.
Researchers Or Yair, from SafeBreach, have identified a vulnerability known as "Fake Context Alignment" that can be exploited using poisoned notifications. This attack works by treating a malicious notification as useful context, allowing the Gemini assistant to open a victim's connected windows, fake a message from their boss, or push the phone into a Zoom call without any explicit user consent.
The research reveals that even if no malicious app is installed on the device, a single poisoned notification can hijack the Gemini assistant's functionality. The attack relies on exploiting a weakness in Gemini's prompt injection mechanism, which allows it to treat a hostile notification as useful context.
According to the study, a malicious notification can be crafted to include a Chinese authorization prompt hidden inside a muted link. When the user responds with "Yes" without realizing it, the Gemini assistant ties that response to the Chinese question, effectively bypassing Google's security checks. This technique is dubbed "Fake Context Alignment."
The researchers demonstrate how this attack can be used to achieve various malicious goals, including:
1. Smart home control: By exploiting the vulnerability, attackers can gain access to a victim's connected windows, boilers, and lights.
2. Tracking and downloads: Malicious notifications can be used to geolocate a victim by IP or push file downloads.
3. Crossing into other apps: The attack can redirect the user to another app, such as Zoom, and force them to join a meeting without their consent.
4. Memory poisoning: Fake Context Alignment simulates consent, allowing the Gemini assistant to persistently save an attacker-chosen fact, which can be used for future attacks.
5. Scheduled actions: Malicious notifications can be used to schedule tasks, such as reading recent messages every day at 8 PM.
Google has since patched this vulnerability and confirmed that content-classifier improvements have mitigated the notification injections and Delayed Tool Invocation bypass. However, users still need to take precautions to protect themselves:
* Disabling the Utilities app in Gemini's Connected Apps settings
* Turning off the Google app's "Notification read, reply & control" permission on Android devices
In conclusion, this study highlights a critical vulnerability in Google's Gemini voice assistant that can be exploited using poisoned notifications. While Google has taken steps to patch this issue, it is essential for users to remain vigilant and take proactive measures to protect themselves from these types of attacks.
As the use of artificial intelligence and machine learning continues to grow in various industries, it is crucial to prioritize security and ensure that such technologies are designed with robust safeguards against potential vulnerabilities. The discovery of this vulnerability serves as a wake-up call for developers, researchers, and users alike, emphasizing the need for continued research and innovation in the field of cybersecurity.
Related Information:
https://www.ethicalhackingnews.com/articles/Googles-Gemini-Voice-Assistant-Vulnerable-to-Poisoned-Notifications-on-Android-Devices-A-Security-Breach-of-Epic-Proportions-ehn.shtml
https://thehackernews.com/2026/06/whatsapp-slack-notifications-could.html
Published: Wed Jun 3 16:25:40 2026 by llama3.2 3B Q4_K_M
