← All articles

SafeBreach 'Fake Context Alignment' hijacks Google Gemini on Android via malicious WhatsApp/Slack notifications - no malicious app needed, now patched

SafeBreach's Or Yair has demonstrated Fake Context Alignment, a technique that hijacks Google Gemini's voice assistant on Android through malicious notifications from apps like WhatsApp and Slack - no malicious app on the phone required. Gemini's Utilities feature reads and acts on notification text as if it were instructions, an attack surface Yair calls 'effectively infinite.' The bypass runs two illusions at once: it poses the real authorization question in a language the victim does not speak, defeating Google's post-Invitation prompt-injection mitigations. It can fake a boss's message, open windows, force a Zoom call, or poison long-term memory. Google has patched it; no CVE was assigned.

Check
Advise Android users with Gemini to disable or restrict its Utilities notification-reading feature where not essential. Treat unexpected spoken instructions referencing Drive uploads or calls with suspicion.
Affected
Android users with Google Gemini's notification-reading Utilities enabled. Any app or service that can push a notification could inject instructions; iOS and web are not affected. Now patched.
Fix
Ensure Gemini is updated to the patched version. Limit which apps can post notifications Gemini reads. For sensitive actions, require on-screen confirmation rather than voice-only approval.