SafeBreach researchers uncovered a critical vulnerability in Google’s Gemini voice assistant that could have allowed attackers to hijack the AI using indirect prompt injections delivered through ordinary messaging notifications.
The cybersecurity firm previously discovered a calendar invite attack targeting Gemini and Google Workspace that an attacker could have used to conduct spam and phishing, delete calendar events, learn the victim’s location, remotely control home appliances, and exfiltrate emails.
Building on that research, SafeBreach discovered a new attack class named Fake Context Alignment.
It was disclosed to Google in August 2025 and it was patched in mid-November 2025 with content classifier improvements, but the security firm disclosed its details this week to raise awareness about the persistent risks of prompt injection attacks and to encourage stronger defenses against context manipulation.
The Fake Context Alignment attack works by exploiting notifications from popular apps such as WhatsApp, Slack, and SMS, which silently inject malicious instructions into Gemini’s conversation context without the user’s knowledge.
