{"id":1145,"date":"2026-06-03T21:11:20","date_gmt":"2026-06-03T21:11:20","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1145"},"modified":"2026-06-03T21:11:20","modified_gmt":"2026-06-03T21:11:20","slug":"whatsapp-slack-notifications-could-hijack-google-gemini-on-android","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1145","title":{"rendered":"WhatsApp, Slack Notifications Could Hijack Google Gemini on Android"},"content":{"rendered":"
\n

\ue804<\/i>Swati Khandelwal<\/span>\ue802<\/i>Jun 03, 2026<\/span><\/span>Vulnerability \/ Artificial Intelligence<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

A single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could have hijacked Google Gemini’s voice assistant on Android and made it open a victim’s connected windows, fake a message from their boss, push the phone into a Zoom call, or quietly poison its long-term memory.<\/p>\n

No malicious app on the phone is required. The assistant just had to treat a hostile notification as useful context.<\/p>\n

The research, published<\/a> by SafeBreach’s Or Yair, follows the team’s earlier \u00abInvitation Is All You Need\u00bb work, which pulled off similar tricks through malicious Google Calendar invites. After that, Google hardened Gemini<\/a> against indirect prompt injection.<\/p>\n

Yair found a way around the new defenses. Google has since patched it, SafeBreach lists no CVE for the issue, and there is no evidence that the technique was ever used in the wild.<\/p>\n

On Android, Gemini’s Utilities feature<\/a> can read and reply to your notifications, including ones from apps like WhatsApp. It isn’t available on iOS or the web, which keeps this vector Android-only. Yair found the agent that reads those notifications treats their text as instructions it can act on. So anything that can push a notification to a phone can deliver a payload, an attack surface Yair called \u00abeffectively infinite<\/b>.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

At minimum, that lets an attacker rewrite what Gemini says, including faking a message from a named contact. Spoken aloud while you drive and don’t look at the screen, \u00abyour manager asked you to upload the docs to this Drive folder\u00bb is hard to second-guess. The blind version is worse: the payload fires after Gemini has loaded real notifications, so it can grab the first real sender name in the queue and pin the fake message on them.<\/p>\n

<\/p>\n

Faking output is one thing. Firing real tools, like opening a window or launching an app, is what Google’s post-\u00abInvitation\u00bb mitigations were built to stop. Yair’s read, from black-box testing: when a \u00abYes\u00bb authorizes a sensitive action, a check weighs both the user’s reply and Gemini’s last output to decide whether that \u00abYes\u00bb makes sense. Inject a delayed instruction out of nowhere, and Gemini refused, every time.<\/p>\n

\"\"<\/a><\/div>\n

So the bypass, which Yair named Fake Context Alignment<\/b>, runs two illusions at once: a legitimate-looking authorization for the security check, a harmless exchange for the human.<\/p>\n