"SafeBreach reported the findings to Google's Vulnerability Reward Program on August 17, 2025." That timeline anchors a chain of research and emergency fixes that followed a simple insight: a single hostile notification could be treated by Google Gemini's Android assistant as usable instruction.
How Fake Context Alignment hijacked Gemini's Utilities
Research published by SafeBreach researcher Or Yair showed that Gemini's Utilities feature on Android — which can read and reply to notifications from apps such as WhatsApp, Slack, SMS, Signal, Instagram, and Messenger — treated notification text as contextual instructions the assistant might act on. No malicious app needed on the phone; anything able to push a notification to the device could deliver a payload, an attack surface Yair called "effectively infinite."
Yair built on earlier work dubbed "Invitation Is All You Need," which had used malicious Google Calendar invites to trick Gemini. After Google hardened Gemini against those indirect prompt-injection tricks, Yair demonstrated a new bypass he named Fake Context Alignment. The bypass runs two parallel illusions: one that satisfies Gemini's internal authorization checks and another that looks harmless to the human.
Obfuscated and Muted: the two-pronged bypass
Fake Context Alignment combines two methods described in the SafeBreach report:
- Obfuscated: Gemini asks the actual authorization question in a language the victim does not speak (the report gives the example Chinese: "Do you want to open the window?"), then follows in English with an innocuous-sounding prompt like "Is that all you needed?" A casual "Yes" from the user can be tied to the earlier foreign-language authorization.
- Muted: Gemini's text-to-speech skips hyperlinks hidden behind clickable text, so a malicious authorization question can be buried in a link the assistant never reads aloud. The assistant might say aloud, "I'm sorry, I had an error, are you there?" while the screen silently shows "Do you want to open the window?" The user's spoken "Yes" can clear the check.
Combine both techniques — a foreign-language authorization prompt hidden inside a muted link — and the assistant can present a benign-sounding spoken exchange while the backend records an authorization it believes is legitimate.
Actions demonstrated: from fake messages to memory poisoning
Once past Gemini's authorization gate, Yair's demo replicated and extended earlier impacts and added new ones:
- Faking output: the assistant could rewrite what it said, for instance producing a spoken false message that appeared to come from a named contact — the report warns this is particularly effective while a user is driving and not looking at the screen.
- Smart-home control: Gemini could open connected windows, control boilers, and toggle lights through Google Home integrations.
- Tracking and downloads: injected URLs could geolocate a victim by IP or push file downloads.
- Cross-app actions: a demo used a safe-looking domain that redirected to a Zoom app link; Gemini followed the redirect and forced the phone to join a meeting and stream video. SafeBreach emphasized its own domain never redirected to Zoom — the redirect ran on a local server on the test device.
- Memory poisoning: Fake Context Alignment simulated consent so Gemini persistently saved an attacker-chosen fact. In the demo Gemini stored the victim's name as "Danny." Because the memory is account-level, the poisoned fact follows the victim across devices where they use Gemini on that account.
- Persistence: scheduled actions such as a recurring task to read the victim's recent messages every day at 8 PM were also demonstrated.
Google's response: patching server-side and user controls
SafeBreach disclosed the findings to Google's Vulnerability Reward Program on August 17, 2025. Google treated the report as a high priority and on November 14, 2025 confirmed that content-classifier improvements mitigated the notification injections and the Delayed Tool Invocation bypass used in the technique. Because the fix is server-side, there was no app update for users to install.
SafeBreach lists no CVE for the issue and reports no evidence the technique was ever used in the wild. The company also notes its demonstration used local-device redirects in place of any malicious behavior on the SafeBreach domain.
Users retain a direct control point: disconnecting the Utilities app in Gemini's Connected Apps settings, or turning off the Google app's "Notification read, reply & control" permission on Android, prevents Gemini from reading notifications and thus blocks this vector.
What this means for end users, security teams, and adversaries
- End users: The attack is Android-only because Gemini's Utilities feature that reads notifications is not available on iOS or the web. Users who do not want Gemini to read notifications can disconnect Utilities or disable the Google app's notification permission on Android.
- Security teams and technologists: The vulnerability shows how an assistant that treats ambient notification text as context can be prompted into sensitive actions. The mitigation was applied server-side through content-classifier improvements and addressed the Delayed Tool Invocation bypass.
- Adversaries and threat actors: The attack surface includes any vector that can push notifications — messaging apps listed in the report (WhatsApp, Slack, SMS, Signal, Instagram, Messenger) among them — and in the SafeBreach account the techniques allowed persistent and account-level effects such as memory poisoning and scheduled actions.
The episode reinforces a simple principle underscored by the report: when an assistant treats layer-to-layer context (screen text, notifications, and spoken prompts) as equivalent, subtle manipulations can authorize sensitive actions without code on the device. Google applied server-side classifier changes after SafeBreach's August 17, 2025 disclosure and confirmed mitigation on November 14, 2025; users who wish to be certain can revoke Gemini's access to notifications on Android today.
