Notification Hijacking: How WhatsApp and Slack Content Could Weaponize Google Gemini

Your phone buzzes. A WhatsApp message lands. Gemini reads it. And now Gemini is compromised.

That's the essence of what researchers found in a class of prompt injection vulnerabilities affecting Google Gemini on Android. No malicious app required. No special permissions. Just a carefully crafted notification.

What Happened

Researchers discovered that content embedded in notifications from everyday apps — WhatsApp, Slack, SMS, Signal — could be interpreted by Google Gemini as instructions rather than data. The assistant was reading notification content as part of its operational context and, critically, trusting it.

The result: an attacker who could control what a notification said could potentially cause Gemini to open browser windows, send messages on the user's behalf, initiate calls, or poison Gemini's long-term memory store with false context that persists across sessions.