SafeBreach researchers identified a vulnerability in the Gemini voice assistant that allowed attackers to hijack it using indirect prompt injections. These injections were delivered through messaging notifications, and Google deployed a patch for the issue in mid-November 2025.
The researchers reported the vulnerability, which they named Fake Context Alignment, to the company in August 2025. This attack class utilized notifications from applications such as WhatsApp, Slack, and SMS by injecting instructions into the Gemini conversation context. Researchers demonstrated that commands could be embedded in various forms, including foreign languages or muted hyperlinks, which the voice assistant processed without reading them aloud.
The attack method enabled several actions, including the control of smart home devices through Google Home and the initiation of Zoom video calls. It also allowed for the generation of messages that appeared to originate from trusted contacts. Furthermore, the method could alter the AI assistant's long-term memory to maintain persistence on a device. The company published videos demonstrating the Zoom and Google Home attacks.
Beyond this, the company previously identified a calendar invite attack targeting Gemini and Workspace. That attack could have enabled spam, phishing, deletion of calendar events, location tracking, remote control of home appliances, and email exfiltration. The patch for the Fake Context Alignment vulnerability included content classifier improvements.
SafeBreach said the research into this new attack class indicates the expanding attack surface as LLM-powered assistants become further integrated into devices and daily routines. The notification-based attacks demonstrate that indirect prompt injections can be executed through communication channels, the company stated. The researchers publicly disclosed details of the vulnerability to raise awareness regarding prompt injection risks.
No independent assessment was available for this report.