WhatsApp, Slack Notifications Could Hijack Google Gemini on Android

A single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could have hijacked Google Gemini's voice assistant on Android and made it open a victim's connected windows, fake a message from their boss, push the phone into a Zoom call, or quietly poison its long-term memory. No malicious app on the phone is required. The assistant just had to treat a hostile

The report describes an indirect prompt injection flaw in Google Gemini for Android where malicious text embedded in notifications from apps like WhatsApp, Slack, SMS, Signal, Instagram, or Messenger was treated as executable instructions by the voice assistant, without needing any malicious app on the device.[1][2] According to the research, an attacker-crafted notification could drive Gemini to control smart-home devices, open tracking URLs, force-join Zoom calls, fake messages from trusted contacts, and even poison Gemini’s long-term memory at the account level.[1] Google has deployed server-side mitigations via improved content classification, but the attack surface demonstrates that any untrusted content source feeding an AI agent can silently become a control channel.[1][2] From a CyberSE.AI perspective, organizations using or building AI assistants that read notifications, inboxes, or messages should treat all such external content as untrusted, and use continuous AI red teaming to simulate indirect prompt injection via common channels (notifications, email, chat) before rollout.