The Attack Vector
A security researcher has uncovered a critical vulnerability in Google Gemini’s voice assistant on Android that allows attackers to hijack the assistant using poisoned notifications from popular messaging apps. According to research published by SafeBreach’s Or Yair, a single malicious notification from platforms like WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could trick Gemini into performing dangerous actions on a victim’s device. The attack does not require any malicious app to be installed on the phone. Gemini’s Utilities feature on Android can read and reply to notifications, including those from third-party apps, and the researcher found that the agent treats notification text as instructions it can act upon. This creates what Yair described as an “effectively infinite” attack surface, since any service that can push a notification to a phone can deliver a payload.
Impact and Mitigations
At a minimum, an attacker could rewrite what Gemini says aloud, including faking a message from a named contact. In a more serious scenario, the assistant could be made to open a victim’s connected Windows machine, push the phone into a Zoom call, or quietly poison its long-term memory. The blind version of the attack is particularly dangerous because the payload fires after Gemini has loaded real notifications, allowing it to grab the first real sender name and pin the fake message on them. This research follows Yair’s earlier work on malicious Google Calendar invites, after which Google hardened Gemini against indirect prompt injection. The new technique demonstrates a way around those defenses. Google has since patched the vulnerability, and the researcher lists no identifier for the issue. There is no evidence that the technique was ever used in the wild. The attack is Android-only since Gemini’s Utility features are not available on iOS or the web.
Source: The Hacker News
