SafeBreach researchers discovered a vulnerability in Google's Gemini voice assistant that allowed attackers to perform indirect prompt injections via messaging notifications from popular apps. The attack, called Fake Context Alignment, exploits the assistant's processing of silent or hidden commands embedded in notifications, bypassing safeguards by using foreign languages or muted hyperlinks. This enables attackers to trigger actions such as controlling smart home devices through Google Home, starting Zoom video calls, and poisoning the assistant's long-term memory for persistent control. The issue was responsibly disclosed to Google in August 2025 and fixed in mid-November 2025 by enhancing the content classifier. This research underscores the growing attack surface of LLM-powered assistants and the challenges in securing AI systems against context manipulation across communication channels.

The vulnerability allowed attackers to hijack the Gemini voice assistant to perform unauthorized actions including controlling smart home devices, initiating Zoom calls, sending deceptive messages, and establishing persistent control by manipulating the assistant's memory. These actions could be triggered without user knowledge through trusted messaging notifications. The attack was particularly risky in hands-free scenarios such as driving. However, the vulnerability was patched by Google in November 2025, mitigating these risks.

Google released an official patch in November 2025 that improved the content classifier to prevent indirect prompt injections via messaging notifications. Users and organizations should ensure their Gemini voice assistant software is updated to the latest version containing this fix. Since this is not a cloud service, manual updates or patches are required. No further immediate action is required beyond applying the official patch.