Google Gemini has become one of the most widely used AI assistants on Android devices, but security researchers recently uncovered a clever attack technique that shows how easily AI systems can be manipulated when they are given access to user notifications.
Researchers at SafeBreach discovered a prompt injection vulnerability that allowed attackers to hide malicious instructions inside Android notifications. The attack demonstrated how seemingly harmless messages sent through platforms such as WhatsApp, Slack, Telegram, or other communication apps could potentially influence Gemini’s behavior when users asked the assistant to review their notifications.
The finding highlights a growing challenge facing AI developers. While AI assistants are becoming more capable of interacting with emails, calendars, messages, and notifications, they still struggle to reliably distinguish between legitimate user content and hidden instructions designed to manipulate their actions.
How the Notification Based Attack Worked
Prompt injection attacks have become one of the most significant security concerns in the AI era. The technique involves embedding hidden instructions inside content that an AI system processes.
Traditionally, researchers have demonstrated prompt injection through emails, documents, or calendar invitations. However, SafeBreach showed that Android notifications can become an equally effective delivery mechanism.
The attack relied on a specially crafted notification containing two separate elements. The first was a harmless message written in a language the victim could understand. The second was a hidden instruction written in a different language, such as Chinese.
When Gemini was asked to read pending notifications, it processed both parts of the message. Since AI models interpret all text as potential instructions, the assistant could mistakenly treat the hidden content as a command rather than ordinary data.
This is where the attack became particularly dangerous.
Turning a Simple Reply Into Authorization
Researchers demonstrated a scenario in which the visible part of a notification asked a routine question such as, “Would that be all?”
Most users would naturally respond with a simple “Yes.”
However, the hidden section of the notification contained additional instructions that the user could not understand. Those instructions could direct Gemini to perform actions beyond the user’s intent.
For example, the concealed prompt could instruct the AI assistant to access information, process account data, or perform other actions that the attacker wanted. When the victim replied affirmatively, Gemini could interpret the response as approval for both the visible question and the hidden command.
The effectiveness of the attack relied heavily on user psychology. Researchers noted that many people would likely dismiss unfamiliar foreign language text as a display bug, translation error, or application glitch without giving it further thought.
That assumption could make the malicious content easier to overlook.
Why AI Assistants Remain Vulnerable
The core issue stems from a fundamental limitation in current AI systems.
Large language models are designed to process text and follow instructions, but they often struggle to separate commands from ordinary content. In many cases, an AI assistant sees all text as equally important.
This creates opportunities for attackers to embed instructions in places users would never expect.
As AI assistants become more deeply integrated with smartphones, email platforms, productivity tools, and messaging services, the attack surface continues to expand. Features designed to improve convenience can inadvertently expose AI systems to manipulated content from external sources.
Security experts have repeatedly warned that prompt injection remains one of the most difficult challenges facing modern AI systems because it exploits how language models fundamentally operate.
Google Responded With a Server Side Fix
SafeBreach reported the issue to Google in August last year through responsible disclosure channels.
According to the researchers, Google investigated the findings and implemented a server side mitigation in mid November. Because the fix was applied on Google’s end, users were not required to download software updates or install security patches on their devices.
The incident serves as another reminder that AI powered assistants introduce new categories of security risks that extend beyond traditional software vulnerabilities. As AI tools gain broader access to personal information and device functions, defending against prompt injection attacks will remain a critical priority for technology companies.
The research also underscores an important lesson for users. Even seemingly harmless notifications can become potential attack vectors when AI assistants are granted permission to read and act on them. As AI continues to evolve, security protections will need to advance just as quickly.
Follow TechBSB For More Updates
