A recent wave of indirect prompt injection attacks has exposed vulnerabilities in Google Gemini’s voice assistant. These exploits enable attackers to covertly commandeer the AI using harmful payloads sent through widely-used messaging platforms like WhatsApp, Slack, and SMS.
Understanding the New Exploit
Research led by Or Yair from SafeBreach outlines how this new security flaw expands upon previous findings. Earlier, Google Calendar invitations were weaponized, but the current attack method uses any app capable of sending device notifications as a potential delivery channel.
The exploit primarily targets the Android Utilities agent within Gemini, which processes incoming notifications. By embedding harmful instructions within these messages, attackers can manipulate Gemini’s responses without the user’s awareness. This context poisoning allows for phishing attempts, such as delivering deceptive system messages.
Bypassing Google’s Security Measures
Efforts by Google to patch previous vulnerabilities included blocking tool invocation methods, but SafeBreach introduced a new bypass technique called Fake Context Alignment. This approach tricks Gemini’s security mechanisms by presenting a false sense of authorization.
Two variations of this technique were demonstrated. The first, Obfuscated Fake Context Alignment, combines a concealed malicious question in a foreign language with a benign English prompt. The second, Muted Fake Context Alignment, uses hidden clickable text, which Gemini’s text-to-speech feature skips, misleading the user into authorizing tool execution unknowingly.
Implications for Smart Home Devices
These vulnerabilities have serious implications for smart homes. Attackers can control connected devices such as lighting and windows via Google Home. The techniques also allow for covert video streaming by remotely activating video conferencing software, posing significant privacy threats.
Additionally, large-scale social engineering attacks are increasingly prevalent. Messages appear to originate from trusted contacts by extracting real names from notification queues. Persistent memory poisoning further complicates matters, embedding false data across the user’s Google Workspace devices.
Google’s Response and Mitigation Efforts
SafeBreach reported these findings to Google’s Vulnerability Reward Program on August 17, 2025. By November 14, 2025, Google confirmed the deployment of content classifier updates that effectively countered the described attack methods.
This discovery underscores the importance of robust cybersecurity measures, particularly as smart technology becomes more integrated into daily life. Users are encouraged to stay informed about potential risks and participate in awareness programs like the upcoming webinar on OWASP API Top 10 and WAAP guidance.
