- A researcher bypassed Google’s security updates for its Gemini voice assistant on Android using a technique called Fake Context Alignment.
- The exploit allowed a single poisoned notification from apps like WhatsApp or Signal to hijack the assistant, potentially controlling smart devices or poisoning its long-term memory.
- Google has since patched the vulnerability server-side, and there is no evidence it was ever used in real-world attacks.
- Users can mitigate risk by disabling Gemini’s notification-reading feature in their device settings.
In June 2026, cybersecurity researcher Or Yair from SafeBreach demonstrated a critical new way to exploit Google’s Gemini AI on Android devices. A single malicious notification from any major messaging app could have hijacked the voice assistant, according to the research published by the firm. This followed earlier work on calendar-based exploits, which Google had already attempted to harden against.
The attack exploited Gemini’s Utilities feature, which reads notifications to provide context. Consequently, any service that could push a notification created what Yair called an “effectively infinite” attack surface. No malicious app was required on the victim’s phone for the initial intrusion to succeed.
Yair’s technique, Fake Context Alignment, cleverly bypassed Google’s post-“Invitation” security checks. It involved obfuscating the real authorization prompt in a foreign language or hiding it in a muted hyperlink. The user would hear a harmless question and reply “Yes,” while the system linked that consent to the hidden, malicious command.
The potential impacts were severe, ranging from smart home control to memory poisoning. An attacker could, for example, force a phone to join a Zoom call or persistently save a false fact to the user’s account. “The poisoned fact isn’t stuck on the phone; it follows the victim wherever they use Gemini on that account,” the report stated.
SafeBreach reported the vulnerability to Google in August 2025, and the company confirmed a fix by November. Meanwhile, the fix is server-side, so no user app update is needed. The only direct control for users is to disconnect Gemini’s notification access in their Android settings.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
