SafeBreach researchers uncovered a critical vulnerability in Google’s Gemini voice assistant that could have allowed attackers to hijack the AI using indirect prompt injections delivered through ordinary messaging notifications.
The cybersecurity firm previously discovered a calendar invite attack targeting Gemini and Google Workspace that an attacker could have used to conduct spam and phishing, delete calendar events, learn the victim’s location, remotely control home appliances, and exfiltrate emails.
Building on that research, SafeBreach discovered a new attack class named Fake Context Alignment.
It was disclosed to Google in August 2025 and it was patched in mid-November 2025 with content classifier improvements, but the security firm disclosed its details this week to raise awareness about the persistent risks of prompt injection attacks and to encourage stronger defenses against context manipulation.
The Fake Context Alignment attack works by exploiting notifications from popular apps such as WhatsApp, Slack, and SMS, which silently inject malicious instructions into Gemini’s conversation context without the user’s knowledge.
Researchers demonstrated techniques such as embedding hidden commands in foreign languages or in muted hyperlinks that the assistant processes but does not read aloud when the user instructs it to read their messaging notifications, effectively bypassing Google’s safeguards.
The vulnerability was especially concerning in hands-free scenarios, such as driving, where users rely heavily on voice interactions with Gemini.
This method enabled attackers to trigger dangerous actions, including controlling smart home devices via Google Home, starting Zoom video calls, crafting deceptive messages that appear to come from trusted contacts, and even establishing persistent control by poisoning the AI assistant’s long-term memory.
“This research demonstrates that as LLM-powered assistants gain deeper integration into our devices and daily lives, the attack surface expands exponentially. Notification-based attacks prove that indirect prompt injections can be reliably executed through highly trusted, everyday communication channels,” SafeBreach said in a blog post.
It added, “Organizations and vendors must move beyond localized mitigations and rethink how AI systems parse trust, context, and cross-channel permissions to ensure user safety.”
SafeBreach has published videos showing the Zoom and Google Home attacks in action.
Related: Security of 100 AI Agents Tested and Ranked – What You Need to Know
Related: Trump Signs Executive Order That Invites Vetting of Top AI Models for National Security Risks
Related: Anthropic Expanding Mythos Access to 150 New Organizations
