Fake Context Alignment: The Attack That Made Gemini Obey Strangers Through Your Notifications

Pierluigi Paganini
June 05, 2026

SafeBreach tricked Gemini into obeying attackers via WhatsApp notifications, using hidden foreign-language text to bypass Google’s defenses and control smart home devices.

SafeBreach Labs researcher Or Yair spent months trying to break Google’s Gemini voice assistant after Google patched the vulnerabilities he found in his previous research. The new attack class he developed, named Fake Context Alignment, exploits the trust users place in their own notification stream from WhatsApp, Slack, SMS, Signal, Instagram, and every other app that can drop a message on an Android device.

The attack relies on an indirect prompt injection. When a user asks Gemini to read notifications, the assistant processes the content of incoming messages, including hidden instructions planted by an attacker. Google had already added protections against direct attempts to manipulate Gemini’s tools, but notifications created a new attack path. Because virtually any app can send a notification, the number of potential attack sources is enormous.

The most concerning aspect is the social engineering potential. An attacker can trick Gemini into reading out a fake message that appears to come from a real person in the victim’s notifications. The attacker doesn’t even need to know the contact’s name beforehand. The malicious instruction simply tells Gemini to use the first real sender name it finds. This makes large-scale phishing attacks possible without any prior research on the target.

Getting Gemini to actually execute actions, not just manipulate its output, required bypassing a new Google mitigation that blocked what researchers call Delayed Tool Invocation. The fix Google had deployed was checking whether a user’s “Yes” response made logical sense given what Gemini had just said. Yair reverse-engineered this by trial and error and found the precise loophole: if Gemini itself had asked a question and the user confirmed, tools would fire. So he built attacks that made Gemini ask the right question without the user realizing it.

The first technique used a foreign language. Gemini would vocally read a question in Chinese, immediately followed by an innocuous English phrase like “Is that all you needed?” The user hears only the English, replies “Yes” assuming they’re closing out the notification summary, and the backend security check sees the Chinese question plus the “Yes” and authorizes the action.

The second technique was cleaner: hide the authorization question inside a muted hyperlink. Gemini doesn’t read hyperlink text aloud, so the screen shows “Do you want to open the window?” while the user hears something entirely different. Combined, the two techniques produced what Yair calls the Ultimate Combo: the malicious question embedded in Chinese text, hidden inside a muted link, invisible to the user and authorizing in the background.

“Notification-based attacks prove that indirect prompt injections can be reliably executed through highly trusted, everyday communication channels.” reads the report published by SafeBreach.

The actions this unlocked in demos included remotely controlling Google Home devices like windows, boilers, and lights; launching a Zoom call that streamed the victim’s video live; and poisoning Gemini’s long-term memory. That last one has legs beyond a single device.

“Using the same Fake Context Alignment technique, I successfully instructed Gemini to create a recurring task that would automatically read the user’s recent messages every day at 8 PM. Because Gemini’s long-term memory is tied to the user’s entire Google Workspace account, this opened the door for devastating multi-device propagation.” continues the report. “Poisoning the assistant through a notification on the victim’s phone could instantly compromise their interactions with Gemini on their tablet, computer, or smart speaker.”

The researchers also demonstrated scheduling a recurring task that would silently read the user’s recent messages every day at 8 PM. Persistent, automated, invisible.

The Zoom attack used a separate bypass. Google checks URLs opened by Gemini against its Safe Browsing database and blocks anything flagged as unsafe. Yair noticed that most ordinary domains pass this check automatically, including safebreach.com. He configured a trusted-looking domain to issue a 301 redirect pointing to a Zoom App Intent URI. Gemini followed the redirect without asking the user, opened Zoom, joined a meeting, and started video streaming. Safe Browsing, in this case, was essentially a rubber stamp.

The hands-free scenario is what makes all of this particularly sharp.

“AI voice assistants are uniquely susceptible to AI attacks that require user interaction because they aim to simulate normal conversational flows. When Gemini asks a question, it automatically opens the microphone, requiring a reply.” continues the report. “This mechanism allows attackers to force multiple interactions from the user, making multi-step exploits significantly easier to execute than on a text-based interface.”

Driving is a perfect scenario for this type of attack. The user can’t look at the screen, depends entirely on what Gemini says, and is likely to follow its instructions. Hidden text and suspicious links remain invisible, making it easier for the attack to succeed.

Yair reported the issue to Google’s Vulnerability Reward Program in August 2025. Google later confirmed that updates to its content classifiers blocked the prompt injection and delayed tool invocation techniques. While the specific vulnerability has been fixed, SafeBreach published the research because the broader issue remains. Whenever a voice assistant processes both user commands and untrusted external content through the same system, similar risks can still emerge.

“Organizations and vendors must move beyond localized mitigations and rethink how AI systems parse trust, context, and cross-channel permissions to ensure user safety.” concludes the report.

Below is a video PoC published by the researcher:

Follow me on Twitter: @securityaffairs and Facebook and Mastodon