Prompt attacks on the Gemini AI-assistant and Google Workspace with Gemini | Kaspersky official blog
We break down attacks on Google’s AI assistants, and how to protect your devices.
AI Analysis
Technical Summary
The threat involves prompt injection attacks on Google's Gemini AI assistant and Google Workspace, where attackers embed malicious commands in external content like calendar invites or text messages. These commands bypass Gemini's layered filters through techniques including indirect prompt injection, memory poisoning to store persistent malicious instructions, delayed execution to avoid immediate detection, and fake context alignment to trick users into approving hidden commands. Once compromised, Gemini can perform a wide range of unauthorized actions such as deleting calendar data, sending sensitive information externally, controlling smart home devices, launching applications, and leaking user data. The attacks exploit Gemini's ability to read notifications and understand multiple languages, using features like hyperlink suppression in voice output to hide malicious instructions. Google has released fixes for these vulnerabilities, but the nature of prompt injection means future variants may appear. Users are advised to limit Gemini's access and functionality to reduce exposure.
Potential Impact
Successful exploitation allows attackers to execute unauthorized actions through the Gemini AI assistant, including manipulating Google Workspace data, controlling smart home devices, launching applications, and leaking sensitive information. The attacks can persist by poisoning the assistant's long-term memory, affecting all devices linked to the user's account. This can lead to privacy breaches, data loss, unauthorized control of physical devices, and potential information leakage. Although no known exploits are reported in the wild, the attack surface is broad due to Gemini's integration with multiple services and devices.
Mitigation Recommendations
Google has fixed the described vulnerabilities. Users should apply these official fixes where applicable. Additional recommended mitigations include disabling notification previews to prevent malicious text from being read by Gemini, turning off smart features in Gmail or Google Workspace to disable Gemini functionality, selectively revoking Gemini's access to calendar, system functions, and notifications, and disabling the Gemini Utilities app on Android devices. Users may also consider switching to a different assistant or disabling Gemini entirely. Employing security solutions like Kaspersky for Android can provide additional phishing and malicious link protection. These mitigations align with vendor guidance and reduce the risk of prompt injection attacks.
Prompt attacks on the Gemini AI-assistant and Google Workspace with Gemini | Kaspersky official blog
Description
We break down attacks on Google’s AI assistants, and how to protect your devices.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The threat involves prompt injection attacks on Google's Gemini AI assistant and Google Workspace, where attackers embed malicious commands in external content like calendar invites or text messages. These commands bypass Gemini's layered filters through techniques including indirect prompt injection, memory poisoning to store persistent malicious instructions, delayed execution to avoid immediate detection, and fake context alignment to trick users into approving hidden commands. Once compromised, Gemini can perform a wide range of unauthorized actions such as deleting calendar data, sending sensitive information externally, controlling smart home devices, launching applications, and leaking user data. The attacks exploit Gemini's ability to read notifications and understand multiple languages, using features like hyperlink suppression in voice output to hide malicious instructions. Google has released fixes for these vulnerabilities, but the nature of prompt injection means future variants may appear. Users are advised to limit Gemini's access and functionality to reduce exposure.
Potential Impact
Successful exploitation allows attackers to execute unauthorized actions through the Gemini AI assistant, including manipulating Google Workspace data, controlling smart home devices, launching applications, and leaking sensitive information. The attacks can persist by poisoning the assistant's long-term memory, affecting all devices linked to the user's account. This can lead to privacy breaches, data loss, unauthorized control of physical devices, and potential information leakage. Although no known exploits are reported in the wild, the attack surface is broad due to Gemini's integration with multiple services and devices.
Mitigation Recommendations
Google has fixed the described vulnerabilities. Users should apply these official fixes where applicable. Additional recommended mitigations include disabling notification previews to prevent malicious text from being read by Gemini, turning off smart features in Gmail or Google Workspace to disable Gemini functionality, selectively revoking Gemini's access to calendar, system functions, and notifications, and disabling the Gemini Utilities app on Android devices. Users may also consider switching to a different assistant or disabling Gemini entirely. Employing security solutions like Kaspersky for Android can provide additional phishing and malicious link protection. These mitigations align with vendor guidance and reduce the risk of prompt injection attacks.
Technical Details
- Article Source
- {"url":"https://www.kaspersky.com/blog/gemini-assistant-attacks/56134/","fetched":true,"fetchedAt":"2026-07-16T15:41:31.891Z","wordCount":2291}
Threat ID: 6a58fbab68715ace4343f4f1
Added to database: 07/16/2026, 15:41:31 UTC
Last enriched: 07/16/2026, 15:41:50 UTC
Last updated: 07/17/2026, 02:19:11 UTC
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.