Skip to content
AI Securityllm-securityPrompt Injection

Gemini voice assistant hijacked via messaging notification injection: the Fake Context Alignment attack

2 min read
Share

SafeBreach disclosed on June 4 a technique they call Fake Context Alignment that allowed them to hijack Google Gemini's voice assistant by hiding commands inside WhatsApp, Slack, and SMS notifications. Google patched the underlying vulnerability in November 2025.

How the attack works

The attack exploits how Gemini processes notification context. An adversary sends the target a message in WhatsApp, Slack, or SMS containing a hidden instruction written in a foreign language or embedded in a muted hyperlink. When Gemini's voice assistant reads or summarizes the notification in hands-free mode, it interprets the hidden instruction as a legitimate command from the device owner and executes it without user confirmation.

What the attack can do

SafeBreach demonstrated the technique controlling Google Home devices, initiating Zoom calls without user consent, and writing adversarial instructions into Gemini's long-term memory. The memory poisoning variant is particularly significant: a successfully injected memory entry persists across sessions and influences Gemini's behavior in future conversations until the user manually audits and clears their memory store.

Why hands-free scenarios carry elevated risk

The attack is most dangerous when the user is not watching their screen. A person who receives a malicious message while driving, exercising, or in a meeting has no visual indication that Gemini received and executed an injected command. In those scenarios, the action completes silently.

What defenders should do

Google patched this vulnerability class in November 2025. Organizations deploying Gemini through the Google Workspace API or through custom integrations should verify they are running post-November 2025 builds. Security teams evaluating agentic AI deployments should treat all external content, including messages, documents, emails, and notifications, as untrusted input channels. Any agentic deployment that grants AI assistants action permissions should require explicit user confirmation before executing actions with real-world effects.

Gigia Tsiklauri is a security architect and AI security practitioner. Follow more analysis at infosec.ge.

Related articles

AI SecurityClaude CodeAgentic AISupply Chainvulnerability

SymJack: The Symlink Attack That Breaks AI Coding Agent Safeguards

SymJack is an architectural symlink attack that bypasses human approval dialogs in AI coding agents like Claude Code, Cursor, Copilot, Gemini CLI, Grok Build, and Codex CLI, enabling remote code execution via malicious repositories and CI pipelines.

AI SecurityLLMDual Useendpoint-security

Claude Opus 4.5 as Malware Coordinator: Inside the AI-Built Ransomware R&D Lab Sophos Found

Sophos documented a threat actor who used Claude Opus 4.5 and Model Context Protocol to build a multi-agent malware development lab. This is the first documented attacker use of a frontier model plus MCP for structured malware R&D.

AI SecurityLLMVulnerability Researchllm-security

Twenty-two seconds: what Mandiant's M-Trends 2026 actually says about how fast attackers now move

Mandiant’s M-Trends 2026 report pegs 22 seconds as the median time between initial access and hand-off to a secondary threat group in 2025, down from more than 8 hours in 2022. Here’s what that acceleration really means for detection, response, and security architecture.