Google Patches Gemini Android Flaw Linked to App Notifications

Security researchers at SafeBreach discovered a vulnerability allowing malicious notifications to hijack Google Gemini's voice assistant on Android devices [1, 2].

This flaw is significant because it allows external apps to execute commands on a user's device without their direct consent. By leveraging common messaging platforms, attackers could potentially manipulate a user's AI assistant to perform unauthorized actions silently.

The vulnerability stems from how Gemini processes notification content. Researchers found that the AI assistant does not properly sanitize the text within notifications, which allows crafted payloads to execute arbitrary commands [1, 2]. This means a single notification from apps such as WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could trigger the assistant [2, 3].

According to the findings, the hijack could enable attackers to open windows, send fake messages, or join Zoom calls [2, 3]. The researchers also noted that the flaw could be used to poison Gemini's long-term memory [2, 3]. Because of the widespread use of these messaging apps, potentially millions of Android users could have been affected ^[1].

Google has since fixed the flaw ^[1]. The discovery highlights a growing risk as AI assistants gain deeper integration with mobile operating systems, creating new vectors for prompt injection through third-party notifications.

SafeBreach reported the issue to Google to ensure the vulnerability was addressed before it could be widely exploited in the wild [1, 2].