{"id":13367,"date":"2026-06-04T10:03:36","date_gmt":"2026-06-04T10:03:36","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/04\/new-google-gemini-vulnerability-exploited-via-prompt-injections-from-whatsapp-slack-and-sms\/"},"modified":"2026-06-04T10:03:36","modified_gmt":"2026-06-04T10:03:36","slug":"new-google-gemini-vulnerability-exploited-via-prompt-injections-from-whatsapp-slack-and-sms","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/04\/new-google-gemini-vulnerability-exploited-via-prompt-injections-from-whatsapp-slack-and-sms\/","title":{"rendered":"New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS"},"content":{"rendered":"<p>    New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A new class of indirect prompt injection (IPI) attacks targets <a href=\"https:\/\/cybersecuritynews.com\/google-gemini-for-workspace-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">Google Gemini\u2019s voice assistant<\/a>, allowing attackers to silently hijack the AI through malicious payloads delivered via everyday messaging apps, including WhatsApp, Slack, Signal, SMS, Instagram, and Messenger.<\/p>\n<p class=\"wp-block-paragraph\">The research, led by Or Yair, Security Research Team Lead at SafeBreach, builds on the firm\u2019s earlier \u201cInvitation Is All You Need\u201d disclosure, which weaponized Google Calendar invitations against Gemini.<\/p>\n<p class=\"wp-block-paragraph\">This time, the attack surface is far larger; any application capable of triggering a device notification becomes a viable delivery vector.<\/p>\n<h2 id=\"h-google-gemini-vulnerability-exploited\" class=\"wp-block-heading\"><strong>Google Gemini Vulnerability Exploited<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The core exploit leverages Gemini\u2019s Android Utilities agent, specifically the tool that reads incoming notifications. Because this tool processes untrusted data from third-party apps, an attacker can embed malicious instructions directly inside a crafted message.<\/p>\n<p class=\"wp-block-paragraph\">Once Gemini reads the poisoned notification, it silently incorporates the attacker\u2019s commands into the conversational context without the user\u2019s knowledge.<\/p>\n<p class=\"wp-block-paragraph\">Even without invoking external tools, this notification-based IPI enables context poisoning that allows attackers to control Gemini\u2019s output entirely. A manipulated assistant could, for example, relay a fake system message: <em>\u201cThere was an error \u2014 click here to refresh\u201d<\/em> \u2014 a classic phishing lure delivered through a trusted AI interface.<\/p>\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-9-16 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"youtube-embed\" data-video_id=\"\"><iframe loading=\"lazy\" title=\"Demo 4 - Click or Trick\" width=\"563\" height=\"1000\" src=\"https:\/\/www.youtube.com\/embed\/g1Sec2FxAPc?feature=oembed&amp;enablejsapi=1\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n<\/div>\n<\/figure>\n<h2 id=\"h-fake-context-alignment-bypassing-google-s-defenses\" class=\"wp-block-heading\"><strong>Fake Context Alignment: Bypassing Google\u2019s Defenses<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">After Google patched earlier vulnerabilities by blocking chained tool invocations and Delayed Tool Invocation, <a href=\"https:\/\/www.safebreach.com\/blog\/gemini-voice-assistant-prompt-injection-exploit\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">SafeBreach researchers developed<\/a> a novel bypass technique dubbed Fake Context Alignment.<\/p>\n<p class=\"wp-block-paragraph\">The technique creates a dual illusion, presenting a legitimate authorization scenario to Gemini\u2019s backend security mechanisms while showing the victim an entirely benign interaction.<\/p>\n<p class=\"wp-block-paragraph\">Two techniques were demonstrated:<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Obfuscated Fake Context Alignment:<\/strong> Gemini appends a malicious authorization question in a foreign language (e.g., Chinese: <em>\u201c\u4f60\u60f3\u6253\u5f00\u7a97\u6237\u5417?\u201d<\/em> \u2014 \u201cDo you want to open the window?\u201d) immediately followed by a harmless English question. The user replies \u201cYes\u201d to the English prompt while the backend aligns the affirmative with the hidden Chinese instruction, triggering tool execution.<\/li>\n<\/ul>\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-9-16 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"youtube-embed\" data-video_id=\"\"><iframe loading=\"lazy\" title=\"Demo 3 - C or T\" width=\"563\" height=\"1000\" src=\"https:\/\/www.youtube.com\/embed\/YB2nseisdz8?feature=oembed&amp;enablejsapi=1\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n<\/div>\n<\/figure>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Muted Fake Context Alignment:<\/strong> The malicious question is embedded as clickable link text that Gemini\u2019s text-to-speech engine silently skips. The user hears only a benign voice prompt and unknowingly authorizes a tool call by replying \u201cYes.\u201d<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Combining both techniques into an \u201cUltimate Combo\u201d payload allowed researchers to bypass all of Google\u2019s latest mitigations with high reliability and near-zero user awareness.<\/p>\n<p class=\"wp-block-paragraph\">With Delayed Tool Invocation re-enabled, researchers demonstrated a range of high-severity exploits. The emergence of smart home technology has facilitated various forms of exploitation, such as remotely controlling connected devices like windows, boilers, and lighting via Google Home.<\/p>\n<p class=\"wp-block-paragraph\">Additionally, there are alarming tactics like covert video streaming, where an attacker can force Zoom to launch and stream the victim\u2019s camera live <a href=\"https:\/\/cybersecuritynews.com\/badiis-malware-turns-hijacks-iis-servers\/\" target=\"_blank\" rel=\"noreferrer noopener\">through a 301 HTTP redirect<\/a> from a Safe Browsing-approved domain.<\/p>\n<p class=\"wp-block-paragraph\">Large-scale social engineering schemes are on the rise, fabricating messages from trusted contacts without prior knowledge of the contacts\u2019 names by extracting real sender names from the notification queue.<\/p>\n<p class=\"wp-block-paragraph\">Moreover, persistent memory poisoning has become a critical concern, as it involves injecting false information into Gemini\u2019s long-term memory across the victim\u2019s entire Google Workspace account, affecting tablets, computers, and smart speakers.<\/p>\n<p class=\"wp-block-paragraph\">Lastly, scheduled surveillance tactics allow the establishment of recurring tasks that automatically read the user\u2019s recent messages daily, further compromising their privacy and security.<\/p>\n<p class=\"wp-block-paragraph\">SafeBreach disclosed the findings to <a href=\"https:\/\/cybersecuritynews.com\/googles-bug-bounty-program-high-reward\/\" target=\"_blank\" rel=\"noreferrer noopener\">Google\u2019s Vulnerability Reward Program<\/a> on August 17, 2025. Google confirmed on November 14, 2025, that updated content classifier improvements successfully mitigated the indirect prompt injection and Delayed Tool Invocation scenarios described in the research.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong><a href=\"https:\/\/www.prophaze.com\/webinar-registration-closing-visibility-gaps-in-waap\/?utm_source=Cyber+security+news+&amp;utm_medium=Article+&amp;utm_campaign=Cyber+news#\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Free Webinar<\/a><\/strong> <strong>on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/google-gemini-vulnerability-exploited\/\">New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/google-gemini-vulnerability-exploited\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS A new class of indirect prompt injection (IPI) attacks targets Google Gemini\u2019s voice assistant, allowing attackers to silently hijack the AI through malicious payloads delivered via everyday messaging apps, including WhatsApp, Slack, Signal, SMS, Instagram, and Messenger. The research, led by Or [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131],"tags":[130],"class_list":["post-13367","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13367"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13367"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13367\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}