A single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger can hijack Google Gemini’s voice assistant on Android and make it open the victim’s connected window, send a fake message from their boss, push the phone into a Zoom call, or silently poison their long-term memory.
No need for any malicious apps on the phone. The assistant simply had to treat an adverse notification as useful context.
The research, published by SafeBreach Or Yair, follows the team’s earlier “Invitation Is All You Need” work, which uncovered similar tricks via malicious Google Calendar invitations. After that, Google hardened Gemini against indirect instant injection.
Jairus found a way to new security. Google has since patched it, SafeBreach lists no CVEs for this issue, and there is no evidence that this technique was ever used in the wild.
On Android, Gemini’s Utilities feature can read and respond to your notifications, including from apps like WhatsApp. It is not available on iOS or the web, which keeps this vector Android only. Yair found an agent that reads that information and treats their text as instructions on which it can act. So anything that can send a notification to the phone, can deliver a payload, an attack surface called Yair.”effectively infinite“
At a minimum, it lets an attacker transcribe what Gemini says, including spoofing messages from a named contact. It’s hard to guess saying, “Your manager has asked you to upload documents to this Drive folder” out loud while you’re driving and not looking at the screen. The blind version is worse: The payload is activated after Gemini has loaded the real notifications, so it can grab the real sender’s name first in the queue and pin the fake message to them.
Fake output is one thing. Activating actual tools, such as opening a window or launching an app, was created to prevent Google’s post-“invite” mitigation. Yair’s read from black-box testing: When “yes” authorizes a sensitive action, the check weighs both the user’s answer and Gemini’s final output to decide whether “yes” makes sense. The delay instruction was injected out of nowhere, and Gemini refused every time.
So the bypass, which Yair named false reference alignmentRuns two illusions simultaneously: a legitimate looking authority for security checks, a harmless exchange for human beings.
- confused. Gemini asks the actual authority question in a language the victim doesn’t speak, say Chinese (“Do you want to open the window?”), then says something casual in English like “Is that all you need?” The user interprets the foreign phrase as a glitch, says “yes”, and the backend associates that “yes” with the Chinese question.
- silence. Gemini’s text-to-speech leaves hyperlinks hidden behind clickable text. So the malicious query gets buried in a link that the assistant never reads out loud. Gemini says, “I’m sorry, I made an error, are you there?” While the screen silently shows “Do you want to open the window?” The driver says “yes”, text on check appears on the screen and the windows open.
Combine the two, a Chinese authorization signal hidden inside a mute link, and you get a payload that sounds like a normal English exchange while clearing Google’s latest check.
Beyond the authorization gate, the effects matched earlier research and then went further:
- smart home control Via Google Home: Connected windows, boilers, and lights.
- Tracking and Downloads. Opening URLs to geolocate a victim based on IP or pushing file downloads.
- Logging into other apps. In the demo, Yair set up a safe-looking domain to redirect to the Zoom app link, and Gemini followed it without prompting, forcing the phone to join the meeting and stream the video. According to him, this worked because Gemini trusted the domain after serving clean content, then followed the redirect later. SafeBreach insists that its own domain never redirected to Zoom; The redirect ran to the local server on the test device.
- memory poisoning, Which earlier calendar technology could never manage. Fake reference alignment simulates consensus, so Gemini persistently saves the facts chosen by the attacker. In the demo, it stored the victim’s name as “Danny”. Since that memory is account-level, the poison doesn’t stay stuck on the phone; It follows the victim wherever they use Gemini on that account.
- steadfastness Through scheduled tasks, such as the recurring task of reading the victim’s recent messages every day at 8 pm.
SafeBreach reported the findings to Google’s Vulnerability Rewards program on August 17, 2025. Google treated this as a high priority and confirmed on November 14, 2025, that content-categorization improvements have mitigated notification injection and delayed tool invitation bypass.
Since the solution is server-side, there are no app updates to chase. The only control users have is whether Gemini reads notifications: disconnect the Utilities app in Gemini’s Connected Apps settings, or turn off the Google app’s “Read, reply, and control” permission on Android.
