WhatsApp, Slack Notifications Could Hijack Google Gemini on Android

The discovery of a notification‑based prompt‑injection vector marks a shift in how attackers can influence AI‑driven assistants. Unlike traditional malware, the exploit requires only a standard push notification, leveraging Gemini’s Utilities feature that reads and replies to alerts on Android. Because the assistant treats notification text as actionable input, any app capable of sending a notification—ranging from messaging platforms to system services—becomes a potential launchpad for malicious commands, expanding the attack surface far beyond previously known calendar‑invite tricks.

Google’s response involved server‑side classifier updates that filter out the crafted payloads, effectively neutralizing the immediate threat. However, the technique dubbed Fake Context Alignment reveals a deeper weakness: the assistant’s authorization checks can be decoupled from the visible user prompt through language masking and hidden UI elements. This bypass demonstrates that even hardened prompt‑injection defenses can be subverted when attackers manipulate context alignment, a concern that extends to other conversational AI products that ingest external data streams.

For end users, the practical mitigation is straightforward—disable Gemini’s permission to read notifications or turn off the Utilities integration in the Connected Apps settings. Enterprises should audit device policies to ensure that voice assistants are not granted unnecessary access, especially on BYOD fleets. The episode underscores the urgency for AI developers to implement context validation that distinguishes trusted system inputs from user‑generated content, a step that will be critical as voice assistants become more embedded in smart‑home and enterprise workflows.