A vulnerability in Google Gemini’s Android integration allowed malicious content embedded in notifications from apps such as WhatsApp, Slack, Signal, and SMS to hijack the AI assistant without requiring any installed malware. An attacker could craft a poisoned notification that caused Gemini to open browser windows, impersonate contacts, initiate calls, or corrupt the assistant’s long-term memory. This is a prompt injection attack exploiting the trust Gemini places in notification content it processes.

Architect’s Take: Organisations deploying Android devices with Gemini enabled should review mobile device management (MDM) policies to restrict AI assistant access to sensitive notification streams, and treat AI assistants as untrusted data processors when designing data-handling workflows. Raise awareness with security teams about prompt injection as a realistic attack vector on enterprise mobile estates.

Original advisory: WhatsApp, Slack Notifications Could Hijack Google Gemini on Android

A prompt injection vulnerability in Google Gemini on Android allowed hostile content embedded in notifications from apps such as WhatsApp, Slack, Signal, and SMS to hijack the AI assistant without requiring any malicious app to be installed. An attacker could craft a poisoned message or notification that caused Gemini to perform unauthorised actions — including impersonating contacts, initiating calls, or corrupting its long-term memory. The attack required no user interaction beyond the assistant processing the notification, making it particularly dangerous for enterprise users relying on AI-assisted workflows.

Architect’s Take: Review your organisation’s mobile device management (MDM) policies to restrict or audit Gemini’s access to third-party app notifications, particularly on corporate Android devices. Until Google confirms a fully patched release, consider disabling Gemini’s notification-reading capabilities via app permissions and assess whether AI assistant integrations meet your acceptable risk threshold for enterprise use.

Original advisory: WhatsApp, Slack Notifications Could Hijack Google Gemini on Android