Google Gemini on Android notification-injection bypass using Fake Context Alignment
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers found a notification-based prompt-injection bypass in Google Gemini on Android that could turn hostile notification text into unauthorized assistant actions and account-memory poisoning. The attack widened the input surface to apps that can push notifications, including WhatsApp, Slack, SMS, Signal, Instagram, and Messenger. Google later mitigated the path with server-side changes, and no CVE or in-the-wild use was identified.
Related Happenings
Android Framework code execution and privilege escalation flaw (CVE-2025-48595)
Vulnerability
First: 02.06.2026 14:10
Last: 02.06.2026 14:10
Sources 1
About this happening:
Google's **June 2026 Android security patches** now cover **CVE-2025-48595**, an **actively exploited Android Framework** flaw that can lead to **code execution** and **privilege...
Android Framework code execution and privilege escalation flaw (CVE-2025-48595)
VulnerabilityAbout this happening: Google's **June 2026 Android security patches** now cover **CVE-2025-48595**, an **actively exploited Android Framework** flaw that can lead to **code execution** and **privilege...
BTMOB Android RAT no-code builder malware activity
Malware Activity
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Google Gemini CLI workspace-trust hardening update
Security Patch Release
First: 30.04.2026 10:07
Last: 30.04.2026 10:07
Sources 1
About this happening:
Google released a **Gemini CLI** security update that changes **workspace-trust handling** for **headless CI workflows**, reducing the risk that untrusted folders can trigger **ho...
Google Gemini CLI workspace-trust hardening update
Security Patch ReleaseAbout this happening: Google released a **Gemini CLI** security update that changes **workspace-trust handling** for **headless CI workflows**, reducing the risk that untrusted folders can trigger **ho...
NoVoice Android malware hidden in Google Play apps
Malware Activity
First: 01.04.2026 21:07
Last: 01.04.2026 21:07
Sources 1
About this happening:
**NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
NoVoice Android malware hidden in Google Play apps
Malware ActivityAbout this happening: **NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
Timeline
-
14.11.2025 02:00 1 articles · 6mo ago
Google confirms server-side mitigation for Gemini notification injections
Mitigation Patch UpdateGoogle confirms that content-classifier improvements mitigated the notification injections and the Delayed Tool Invocation bypass, with no app update required because the fix is server-side; users can reduce exposure by disconnecting Gemini's Utilities app or revoking the Google app's Notification read, reply & control permission on Android.
Show sources
- WhatsApp, Slack Notifications Could Hijack Google Gemini on Android — thehackernews.com — 03.06.2026 22:11
-
17.08.2025 03:00 2 articles · 9mo ago
SafeBreach reports Google Gemini Android notification-injection bypass
Initial DisclosureSafeBreach researcher Or Yair shows a Fake Context Alignment bypass against Google Gemini on Android by turning poisoned notifications from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger into instructions that can drive tool use, message spoofing, Zoom joins, memory poisoning, and scheduled actions.
Show sources
- WhatsApp, Slack Notifications Could Hijack Google Gemini on Android — thehackernews.com — 03.06.2026 22:11
- WhatsApp, Slack Notifications Could Hijack Google Gemini on Android — thehackernews.com — 03.06.2026 22:11