😺 Google Gemini got hijacked via WhatsApp

The Neuron · Grant Harvey · 2026-06-04

SafeBreach Labs researchers demonstrate a second successful indirect prompt injection attack against Google Gemini on Android, using a 'Fake Context Alignment' technique embedded in WhatsApp and other messaging app notifications to silently exfiltrate data and launch phishing attacks without any user interaction.

Open original ↗

Appears in

AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment

Extraction

Topics: prompt-injectionai-securitygoogle-geminillm-vulnerabilities

Claims

SafeBreach Labs successfully hijacked Google Gemini by embedding hidden malicious instructions inside crafted WhatsApp messages that Gemini reads as notification context.
The attack technique, called 'Fake Context Alignment,' makes malicious commands appear as legitimate parts of an ongoing conversation, specifically to bypass Google's existing indirect prompt injection defenses.
The attack works across WhatsApp, Slack, Signal, SMS, Instagram, and Messenger — any notification-reading surface Gemini has access to.
Five threat categories were demonstrated: data theft, unauthorized actions, phishing relay, account takeover preparation, and silent surveillance.
This is SafeBreach's second successful bypass of Gemini's defenses, having previously weaponized Google Calendar invites.

Key quotes

The attack surface isn't a bug in one app. It's the design of how AI assistants work. Any notification Gemini reads from any app is now a potential delivery channel. The more access your assistant has, the bigger the blast radius.

Google has defenses. They got bypassed twice by the same team. That's the uncomfortable part.

Even without Gemini having external tool access, the poisoned context alone lets attackers make Gemini deliver fake system messages, turning a trusted AI interface into a phishing launcher.