Forensic Summary
SafeBreach researcher Or Yair demonstrated that malicious text embedded in WhatsApp, Slack, SMS, or Signal notifications could trigger indirect prompt injection against Google Gemini's Android Utilities feature, causing the assistant to execute real device actions without user awareness. A novel bypass technique called 'Fake Context Alignment' defeated Google's post-patch authorization checks by exploiting multilingual obfuscation and muted hyperlinks to trick victims into authorising sensitive actions. Google has patched the issue, but the research exposes a fundamentally large attack surface where any app capable of pushing a notification becomes a potential injection vector.
Read the full technical deep-dive on Grid the Grey: https://gridthegrey.com/posts/indirect-prompt-injection-via-notifications-hijacks-google-gemini-on-android/
Top comments (0)