WhatsApp, Slack Notifications Could Hijack Google Gemini on Android

A critical vulnerability in Google Gemini's Android implementation allowed attackers to hijack the voice assistant through poisoned notifications from legitimate messaging apps. WhatsApp, Slack, Signal, Instagram, Messenger, and SMS could each deliver a single malicious notification that Gemini would process as a voice command, potentially without user awareness.

The attack required no malicious app installation. An attacker merely needed to send a specially crafted notification through any of these widely-used platforms. Once processed, Gemini would execute arbitrary commands including opening connected Windows devices, fabricating messages from contacts, initiating video calls, or modifying the assistant's long-term memory systems that power personalized responses.

The vulnerability stemmed from Gemini's notification handler treating incoming messages as legitimate voice input. This design flaw created a direct pathway from external messaging services into the assistant's command execution layer. The attack surface extended across multiple notification channels, multiplying the risk vector.

Google has patched this issue, but the vulnerability exposed a fundamental design problem in how voice assistants validate input sources. Android users who rely on Gemini for productivity or smart home control faced genuine exposure during the vulnerability window. An attacker with access to a user's messaging contacts could launch targeted attacks exploiting trust relationships.

The incident illustrates how voice assistant security often lags behind traditional application security practices. Input validation failures that would be unacceptable in web applications remain common in voice interfaces. Notification handling, a seemingly innocuous component, became an attack vector that bypassed normal user interaction requirements.

Organizations with Android devices in their workforce should confirm Gemini updates are deployed. Users should review connected apps and services linked to their Google accounts. The vulnerability demonstrates that assistant hijacking requires neither network compromise nor device-level malware. A single poisoned message from a familiar contact sufficed.