Google Gemini Hijacked on Android via Poisoned Notifications

Vulnerability Overview: Poisoned Notifications

A novel vulnerability research highlight has identified a significant security flaw in how the Google Gemini assistant processes data on Android devices. According to The Hacker News, a single poisoned notification from high-traffic applications—including WhatsApp, Slack, SMS, Signal, Instagram, or Messenger—can hijack the Gemini voice assistant.

This attack does not require a malicious application to be installed on the victim’s device. Instead, it leverages the legitimate integration between the Android notification system and the Large Language Model (LLM) powering the assistant. When Gemini parses incoming notifications to provide summaries or contextual assistance, it may inadvertently execute malicious instructions embedded within those messages. This is a classic example of an indirect prompt injection attack, where the data processed by the AI is treated as a command.

Technical Analysis: Indirect Prompt Injection Mechanisms

The technical core of this threat lies in the trust relationship between the Android OS and the Gemini assistant. Because Gemini is designed to be helpful and context-aware, it is granted permissions to read notifications to offer proactive suggestions. If a threat actor sends a message via Slack containing specific TTP patterns, such as hidden instructions or character sequences that override the system prompt, the LLM may pivot from its intended task to executing the attacker’s commands.

Researchers found that this exploit can force Gemini to open sensitive windows, initiate Zoom calls without user consent, or even draft Phishing messages that appear to come from the victim. Because the assistant operates with high-level permissions to interact with other apps, this represents a form of Privilege Escalation where the LLM becomes a proxy for the attacker’s intent. Security teams must evaluate how to detect Google Gemini prompt injection by monitoring for unusual assistant behaviors or unexpected API calls initiated by the AI service.

Google Gemini long-term memory poisoning and lateral risks

One of the most concerning aspects of this research is the ability of an attacker to quietly poison the assistant’s long-term memory. By sending a series of poisoned notifications, an adversary can influence the underlying data Gemini uses for future interactions. This creates a persistent threat where the AI might consistently provide biased, incorrect, or malicious responses even after the initial notification is deleted.

This capability facilitates Lateral Movement across the user’s digital identity. For instance, if Gemini is connected to a corporate Google Workspace account, the poisoned memory could influence how the assistant handles emails, calendar invites, or sensitive documents. While no specific CVE has been assigned to this behavior yet, it highlights a systemic risk in the integration of LLMs into operating systems.

Threat Impact and Potential Exploitation Scenarios

The impact of this vulnerability is broad, affecting any Android user who has enabled Gemini’s notification-reading features. In a corporate environment, a threat actor could send a Slack message that mimics a system alert or a message from an executive. When the assistant reads this, it could be instructed to exfiltrate data or modify account settings.

Defenders should note that this exploit bypasses traditional EDR solutions on the mobile device because the activity is performed by a legitimate, signed system application. Detecting the injection requires visibility into the LLM’s reasoning chain or the specific strings delivered via the notification tray, which is often outside the scope of standard mobile security monitoring.

Android notification hijacking mitigation and defensive strategies

Until Google implements more stringent sanitization of notification data before it reaches the Gemini context window, organizations must adopt proactive measures. The primary Android notification hijacking mitigation is to limit the assistant’s access to sensitive data sources.

Recommended actions for SOC teams and individual users include:

• Restrict Notification Access: Disable Gemini’s permission to read notifications from sensitive communication apps like Slack, WhatsApp, and Signal.
• Memory Auditing: Periodically clear Gemini’s activity history and memory to remove any potentially poisoned data points.
• User Training: Educate employees on the risks of LLM-based assistants and the possibility of receiving malicious commands via standard messaging platforms.
• Monitor Assistant Activity: Check the ‘Gemini Activity’ log within Google account settings for any unauthorized actions or strange command executions.

As AI assistants become more deeply integrated into the OS, the boundary between data and instruction continues to blur. Organizations must treat LLM inputs with the same level of scrutiny as any other untrusted user input to prevent widespread exploitation.