A vulnerability in Google Gemini on Android allowed crafted notifications from apps like WhatsApp and Slack to manipulate the AI's responses and connected tools. The issue, discovered by SafeBreach, has been addressed through server-side changes.
SafeBreach researchers identified the flaw while testing Gemini’s Android Utilities feature, which reads and responds to phone notifications. The problem enabled prompt injection attacks using alerts from messaging and social apps including WhatsApp, Slack, SMS, Signal, Instagram, and Messenger. The technique, called Fake Context Alignment, created dual scenarios that bypassed security checks. One appeared legitimate to Gemini while presenting a benign version to the user. Or Yair, security research team lead at SafeBreach, published the findings on June 3. Google resolved the issue with server-side content-classifier improvements. No evidence of real-world exploitation was found, and no app update was required for users. Researchers noted that the attack did not need a malicious app on the device. Users can reduce risk by disabling Gemini’s Utilities app or the Google app’s notification permissions. The discovery follows earlier research on calendar-based attacks against the AI.
