AI assistants are incredibly helpful when they handle the mundane stuff—like reading your unread messages out loud while you are driving. On Android, Google Gemini uses a feature called Utilities to do exactly that, pulling context from apps like WhatsApp, Slack, and Instagram. However, giving an AI permission to read incoming data creates a unique security puzzle, because AI models famously struggle to separate a piece of incoming data from an actual instruction.
Security researcher Or Yair from SafeBreach recently exposed this exact blind spot, demonstrating how a single poisoned notification could essentially hijack Gemini’s voice assistant on Android. The scariest part? The exploit required zero malicious apps on the device. It simply relied on the assistant treating a hostile text message as a command to execute (via The Hacker News).
The bilingual trick
Google already had guardrails in place to prevent rogue inputs from triggering sensitive actions. Usually, if an instruction tries to open an app or change a setting, Gemini requires a quick confirmation from the user. To bypass this, Yair developed a clever technique called “Fake Context Alignment,” which runs two distinct illusions at the same time.
First, the malicious notification forces Gemini to ask for authorization in a language the user likely doesn’t speak, such as Chinese, inquiring if it can open a window or launch a tool. Immediately after, the prompt switches back to English, asking something completely harmless like, “Is that all you needed?”
When the user casually replies “Yes” to dismiss what looks like a minor software glitch, the backend ties that affirmation to the hidden foreign-language question. In a variation of the attack, the malicious instruction gets buried inside a muted hyperlink. Gemini’s text-to-speech skips the link entirely—saying out loud, “I had an error, are you there?”—while the phone’s screen silently displays the authorization prompt. The user says “yes” to the voice, and the system approves the on-screen command.
What could a rogue prompt do?
Once past the authorization checkpoint, the potential consequences were vast. In testing environments, researchers managed to control connected smart home devices, force the phone to join a Zoom video call without prompting, and even create scheduled tasks to read private messages every night.
More impressively, the exploit achieved “memory poisoning.” Because Gemini saves user details across an entire account, the attack could force the assistant to persistently remember a false fact chosen by the hacker. So, it could follow the user to every device they log into.
The good news
Fortunately, there is no need to panic. SafeBreach reported these vulnerabilities to Google’s Reward Program back in August of last year. Shortly after, Google deployed a server-side patch to mitigate the issue. As the fix happened directly on Google’s content-classifier servers, users do not need to hunt down an app update to stay protected.
The post The Notification Trap: How a Text on WhatsApp Could Have Controlled Your Phone’s AI appeared first on Android Headlines.
