Hidden in Plain Sight: How Notification Prompt Injection Can Hijack Your AI Assistant

Security researchers found a prompt injection vulnerability in Google Gemini's voice assistant that let attackers smuggle malicious instructions inside ordinary notifications. The assistant would read them, believe them, and act on them. No user interaction required beyond the assistant doing its job.

This isn't a theoretical edge case. It's a direct consequence of a design pattern that every AI assistant team is replicating right now: feed the model external content, trust it implicitly, let it act.

How the Attack Actually Worked

The attack surface here is subtle but logical once you see it.

Gemini's voice assistant ingests notifications as context — that's the feature. You ask "what did I miss?" and it summarizes your alerts. The vulnerability is that the assistant didn't distinguish between notification data and instructions. To the model, text is text.