Malicious WhatsApp, Slack Alerts Could Have Exposed Millions of Android Users
Malicious WhatsApp, Slack Alerts Could Have Exposed Millions of Android Users
https://www.techrepublic.com/article/news-whatsapp-slack-alerts-could-manipulate-gemini-android/
Publish Date: 2026-06-04 10:16:00
Source Domain: www.techrepublic.com
A routine phone notification could have become an attack path for Google Gemini on Android, according to new research from SafeBreach.
The now-mitigated issue involved crafted alerts from WhatsApp, Slack, SMS, Signal, Instagram, and Messenger. SafeBreach said the alerts could influence how Gemini handled notification text, alter spoken responses, impersonate trusted contacts, trigger connected tools, and poison long-term memory.
Google addressed the issue with server-side content-classifier improvements. Researchers found no evidence of real-world exploitation.
Researchers found a notification-based prompt injection path
SafeBreach Labs said its researchers found the issue while testing Gemini’s Android Utilities feature, which can read and respond to phone notifications. The flaw affected how Gemini processed untrusted notification text from messaging and social apps.
The research was published on June 3 by Or Yair, security research team lead at SafeBreach. It followed the company’s earlier “Invitation Is All You Need” work, which showed how malicious Google Calendar invites could manipulate Gemini.
“The main purpose of Fake Context Alignment is to create a dual illusion: presenting a legitimate authorization scenario to Gemini’s behind-the-scenes security mechanisms, while presenting a completely different, benign scenario to the victim,” Yair wrote in the SafeBreach report.
The Hacker News reported that the attack did not require a malicious app on the victim’s phone. An attacker only needed to send a crafted notification that Gemini might later summarize or read aloud.
Fake Context Alignment bypassed newer guardrails
Google has already added protections after the earlier calendar-based research, but SafeBreach said Yair found a new bypass called Fake Context Alignment.
The technique created two versions of the same interaction. One looked like a legitimate consent to Gemini’s security checks. The other one sounded harmless to the…
Source
