top of page
Buscar

The Notification That Talks to Gemini

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 4 jun
  • 4 min de lectura

Artificial intelligence assistants are becoming deeply integrated into daily workflows, gaining access to notifications, messages, calendars, smart-home devices, and persistent memory. New research from SafeBreach demonstrates how this convenience can become a security risk when trusted notification channels are weaponized. The vulnerability, now patched by Google, showed that a single malicious notification delivered through common messaging applications could manipulate Google Gemini on Android into performing sensitive actions, modifying long-term memory, and interacting with connected services without requiring any malicious application on the device.


Phase 1: The Infinite Notification Attack Surface 


The attack begins with a seemingly harmless notification delivered through a legitimate communication platform such as WhatsApp, Slack, Signal, SMS, Instagram, or Facebook Messenger.

Because Gemini’s Utilities feature can read notifications and use them as contextual information, the notification itself becomes an attack vector. The attacker does not need malware, device access, or a compromised application. They only need the ability to send a message that generates a notification on the target device.

This dramatically expands the attack surface because virtually any communication platform capable of generating notifications can become a delivery mechanism.


Phase 2: Indirect Prompt Injection 


Once the notification reaches the device, Gemini processes its content as contextual information.

The researchers discovered that carefully crafted instructions hidden inside notifications could influence Gemini’s behavior and responses. This allowed attackers to manipulate what the assistant says, potentially impersonating trusted contacts and delivering false information to victims.

In one scenario, Gemini could falsely claim that a manager requested sensitive documents to be uploaded or shared, increasing the likelihood of social engineering success.


Phase 3: Fake Context Alignment 


Google’s previous mitigations were specifically designed to prevent unauthorized execution of sensitive actions. To bypass these protections, researchers developed a technique called Fake Context Alignment.

The attack creates two different realities simultaneously:

For the security mechanism, Gemini displays a legitimate authorization request.

For the user, Gemini presents a harmless conversation that appears unrelated to the sensitive action.

The victim believes they are responding to an innocent question, while the backend interprets their confirmation as authorization for a completely different operation.


Phase 4: Hidden Authorization Bypass 


The attack introduced two particularly dangerous methods.

The first used foreign-language prompts hidden within the conversation. Gemini would ask a sensitive authorization question in a language unfamiliar to the victim while following it with a harmless English phrase. The victim’s verbal “Yes” would authorize the hidden request.

The second technique abused text-to-speech behavior. Malicious authorization requests were hidden behind hyperlinks that appeared on-screen but were never spoken aloud. The victim heard only an innocuous question while Gemini silently displayed the real authorization request.

Combined, these techniques allowed attackers to bypass authorization safeguards while maintaining the appearance of normal interaction.


Phase 5: Device and Account Manipulation 


Once authorization was obtained, the attack could trigger a wide range of actions.

Researchers demonstrated the ability to:

  • Open applications

  • Launch browser windows

  • Initiate Zoom meetings

  • Trigger smart-home actions

  • Download files

  • Open URLs

  • Perform geolocation through IP tracking

  • Create recurring scheduled tasks

  • Modify Gemini’s long-term memory

Perhaps the most concerning capability was memory poisoning. The attacker could permanently store false information within Gemini’s account-level memory, causing the manipulated data to persist across devices and future interactions.


The Victims


The potential victims include any Android user who has Gemini’s notification-reading functionality enabled. Individuals using smart-home integrations, connected applications, productivity workflows, and persistent AI memory features face the highest exposure.

Corporate users are particularly attractive targets because a compromised assistant could influence communications, schedule actions, manipulate business workflows, and provide attackers with indirect access to sensitive environments.


Breach Method & Potentially Exposed Data


The attack did not rely on malware installation or exploitation of a software vulnerability in the traditional sense. Instead, it leveraged indirect prompt injection delivered through trusted notification channels.

Potential impacts included:

  • Manipulated assistant responses

  • Social engineering through impersonation

  • Unauthorized application launches

  • Smart-home control actions

  • Persistent memory poisoning

  • Scheduled automated tasks

  • File downloads

  • User tracking through URL redirection

  • Account-wide AI behavior manipulation

Because Gemini memory is synchronized at the account level, poisoned information could persist across multiple devices and sessions.


Measures to Fend Off the Attack


  • Disable Gemini notification-reading capabilities if not required.

  • Review Connected Apps permissions regularly.

  • Restrict notification access for AI assistants.

  • Audit Gemini memory entries periodically.

  • Monitor unusual scheduled actions created by AI assistants.

  • Limit smart-home integrations to trusted devices.

  • Verify unexpected requests delivered through voice assistants.

  • Apply least-privilege principles to connected applications.

  • Educate users about AI prompt-injection risks.

  • Review AI assistant activity logs where available.

  • Monitor for unusual application launches triggered by assistants.


Conclusions


The SafeBreach research demonstrates how modern AI assistants create entirely new attack surfaces that extend beyond traditional software vulnerabilities. By abusing notifications as a delivery mechanism and exploiting human trust in conversational interfaces, attackers were able to transform ordinary messages into powerful indirect prompt-injection payloads. Although Google has since mitigated the issue through server-side protections, the research highlights a growing challenge for the industry: securing AI systems that continuously consume untrusted data while maintaining seamless user experiences. As AI assistants become more deeply integrated into operating systems and daily workflows, notification streams, memory systems, and connected applications will increasingly become critical security boundaries.


The Hacker News


 
 
 

Comentarios

bottom of page