Google Gemini security flaw lets hackers hijack your Android phone via WhatsApp — what you need to know

(Image credit: Shutterstock)

If you're an Android user, you probably don't think twice when a routine notification pops up on your phone, especially if it looks like a normal text, Slack message or WhatsApp alert.But new research suggests those everyday notifications can create a far stranger security risk than a suspicious link. In some cases, the message does not need to be opened, tapped or downloaded to become dangerous. It only needs to be processed by Gemini.That is the concern raised by cybersecurity firm SafeBreach Labs, which uncovered a notification-based prompt injection vulnerability affecting Google Gemini on Android.According to the researchers, attackers could send hidden instructions through ordinary messaging notifications, allowing Gemini’s voice assistant to silently absorb malicious commands as part of its conversation context.SafeBreach says the technique could be used to manipulate Gemini’s responses, fake messages from trusted contacts, trigger connected tools, control smart home devices or even poison Gemini’s long-term memory. The company also says Google has since rolled out content classifier updates designed to mitigate the vulnerability.How the attack worksThe vulnerability relies on a threat category known as Indirect Prompt Injection. This happens when an attacker hides malicious commands inside content they know an AI is going to read, rather than typing the command directly into the AI prompt window.Because Google Gemini’s Android assistant is designed to scan incoming notifications to provide helpful, context-aware responses, it automatically reads incoming alerts.Get instant access to breaking news, the hottest reviews, great deals and helpful tips.Google already utilizes advanced machine learning filters to stop Gemini from following instructions embedded in external text. However, SafeBreach found that by carefully structuring the hidden text — sometimes burying it in foreign languages or invisible, muted hyperlinks — they could trick Gemini into thinking the malicious instruction was actually a legitimate part of the user’s ongoing conversation history.By aligning the attack to look like safe context, the payload slipped past Google's defenses entirely.What hackers could do