A single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could have hijacked the Google Gemini voice assistant on Android and made it open the victim’s connected windows, insert a missing message from its manager, push the phone into a Zoom call, or silently erase its long-term memory.
No malicious app on the phone is required. The assistant should have treated the hostile notice as a useful context.
The research, published by SafeBreach’s Or Yair, follows the group’s previous work “An Invitation Is All You Need”, which uncovered similar tactics with malicious Google Calendar invites. After that, Google hardened the Gemini against the indirect rapid injection.
Yair found a way around the new defense. Google has since patched it, SafeBreach does not list a CVE for this issue, and there is no evidence that this technique was ever used in the wild.
On Android, Gemini’s Utility feature can read and respond to your notifications, including those from apps like WhatsApp. Not available on iOS or the web, this vector store is Android only. Yair found the agent reading those notices treated their text as instructions to act on. So anything that can push a notification on a phone can deliver a payload, an attack surface called Yair called “with infinite success.”
At the very least, that allows an attacker to rewrite what Gemini says, including spoofing a message from a named contact. If you’re talking out loud while driving and not looking at the screen, “your boss asked you to upload documents to this Drive folder” is hard to guess. The blind version is even worse: the payload fires after Gemini loads the real notifications, so it can catch the real sender’s name in the queue and pin the fake message to them.
Manipulating the output is one thing. Firing up actual tools, like opening a window or launching an app, is what Google’s post-“Invite” mitigations are designed to stop. Yair’s reading, from black-box testing: if “Yes” authorizes a critical action, the check measures both the user’s response and the final output of Gemini to determine whether that “Yes” is meaningful. Inject a delayed command out of place, and Gemini refuses, every time.
Hence the bypass, invented by Yair False Content Alignmentit uses two tricks at the same time: a seemingly legitimate authorization for security checks, a harmless human exchange.
- Obfuscated. Gemini asks the actual authorization question in a language the victim doesn’t speak, say Chinese (“Do you want to open the window?”), then follows it up in English with something innocuous like “Is that all you needed?” The user reverses the foreign phrase as an error, says “Yes,” and the background associates “Yes” with the Chinese question.
- It has been silenced. Gemini’s text-to-speech skips links hidden behind clickable text. So a malicious question is buried in a link the assistant never reads out loud. Gemini says, “I’m sorry, I was wrong, are you there?” while the screen silently displays “Do you want to open a window?” The driver says “Yes,” the checker sees the text on the screen, and the windows are open.
Combine the two, a Chinese authorization command hidden inside a muted link, and you get a payment that sounds like a normal English exchange while clearing Google’s new checks.
After the approval gate, the effects were similar to the previous study and went further:
- Smart home control with Google Home: connected windows, boilers, and lights.
- Tracking and downloading. Opening URLs to find the victim by IP or push file downloads.
- Jump to other apps. In the demo, Yair set up a seemingly safe domain to redirect to a link in the Zoom app, and Gemini followed without prompting, forcing the phone to join the meeting and stream the video. By his account, it worked because Gemini trusted the domain after he provided clean content, then followed the recent redirect. SafeBreach insists its domain was never redirected to Zoom; Redirection is enabled on the local server on the test device.
- memory poison, which the previous calendar method did not handle. False Content Alignment mimics consent, so Gemini continues to preserve the truth chosen by the attacker. In the demo, it kept the victim’s name as “Danny.” Because that memory is account level, the toxic truth isn’t stuck on the phone; it follows the victim wherever they use Gemini on that account.
- Persistence with scheduled actions, such as a pop-up task to read the victim’s latest messages every day at 8 PM.
SafeBreach reported the findings of Google’s Vulnerability Rewards program on August 17, 2025. Google took it very seriously and confirmed on November 14, 2025, that improvements to the content category have reduced notification injections and bypassing Delayed Tool Requests.
Because the maintenance is server-side, there is no application update to be chased. The only user control over whether Gemini reads notifications at all: disable the Services app in Gemini’s Connected Apps settings, or turn off Google’s “Read Notification, respond and control” app permission on Android.
