Android Gemini Hijacked By Notifications

A vulnerability let attackers hijack Google Gemini on Android using a poisoned notification from trusted apps like WhatsApp or Slack.

A security vulnerability was discovered in Google Gemini on Android that allowed the AI assistant to be controlled through a specially crafted notification. The attack could be delivered via trusted applications like WhatsApp, Slack, or standard SMS messages. The core issue was that Gemini could be tricked into processing malicious commands embedded within a notification's text, treating them as legitimate user instructions. This method did not require the victim to install any malicious software; the attack vector was the notification system itself, a fundamental part of the Android OS.

This vulnerability is significant because it bypasses traditional security measures that focus on malicious apps. By leveraging trusted communication channels, an attacker could perform a range of harmful actions, such as instructing Gemini to send a fake message appearing to be from the user's boss or forcing the device to join a Zoom call. A more subtle attack could involve "poisoning" the AI's long-term memory with false information, potentially influencing future interactions. The flaw affected any Android user with Gemini set as their default assistant, highlighting a novel attack surface for AI-integrated systems.

This vulnerability highlights a new attack surface for AI assistants. By using trusted notification channels like Slack or WhatsApp, attackers can bypass traditional app-based security, making the threat harder to detect and prevent for both users and security teams.

For businesses, this flaw could lead to corporate data exposure, unauthorized actions performed on behalf of employees (e.g., sending fake messages), and social engineering attacks. It underscores the need for security reviews of AI integrations on company devices.