WhatsApp, Slack Notifications Could Hijack Google Gemini on Android
Security researchers discovered that Google Gemini's voice assistant on Android could be hijacked via a single poisoned notification from popular messaging apps including WhatsApp, Slack, SMS, Signal, Instagram, and Messenger. The attack requires no malicious app on the phone; the assistant only needs to process a hostile notification. Once exploited, an attacker could open a victim's connected Windows devices, send a fake message from their boss, force the phone into a Zoom call, or quietly poison Gemini's long-term memory. The vulnerability stems from Gemini's ability to interact with notifications and execute actions based on their content. Google has been notified and is working on a fix. The attack vector highlights the risks of integrating AI assistants deeply with system notifications and cross-platform actions.
Developers must secure notification handling in AI assistants to prevent remote hijacking via everyday messaging apps.