How did the exploit bypass user consent mechanisms?

The exploit leveraged Gemini's ability to process notifications as actionable context, treating malicious notifications as legitimate instructions.

Has Google addressed this vulnerability?

Yes, Google has since patched the vulnerability to prevent such exploits.

Critical Vulnerability: Malicious Notifications Hijack Google Gemini on Android

Discover how a security flaw in Google Gemini allowed attackers to exploit notifications from popular apps to perform unauthorized actions on Android devices.

Published: June 3, 2026

Share this on:

Executive Summary

In June 2026, a vulnerability was discovered in Google Gemini's voice assistant on Android devices, allowing malicious notifications from apps like WhatsApp, Slack, SMS, Signal, Instagram, or Messenger to hijack the assistant. This exploit enabled attackers to perform unauthorized actions such as opening windows, sending fake messages, initiating calls, or altering the assistant's memory, all without requiring a malicious app on the device. The attack leveraged Gemini's ability to process notifications as actionable context, effectively bypassing user consent mechanisms.

This incident underscores the evolving threat landscape where attackers exploit trusted system features to execute malicious activities. It highlights the necessity for continuous security assessments and prompt patching of AI-driven functionalities to prevent unauthorized access and maintain user trust.

Why This Matters Now

The exploitation of AI assistants through benign notifications reveals a critical security gap, emphasizing the urgency for robust safeguards against indirect prompt injections and the need for users to stay vigilant about app permissions and system updates.

Attack Path Analysis

An attacker exploited Google Gemini's voice assistant on Android by sending a malicious notification via messaging apps, leading to unauthorized actions on the victim's device. The assistant processed the notification as a legitimate command, allowing the attacker to execute actions such as opening windows, sending fake messages, initiating calls, or altering the assistant's memory.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

Lowinferred

Impact

High

Initial Compromise

Description

The attacker sends a crafted notification through messaging apps like WhatsApp or Slack, which is processed by Google Gemini's voice assistant as a legitimate command.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1566.001

Spearphishing Attachment

Execution

T1204.002

User Execution: Malicious File

Execution

T1059.003

Command and Scripting Interpreter: Windows Command Shell

Persistence

T1078.003

Valid Accounts: Local Accounts

Privilege Escalation

T1548.002

Abuse Elevation Control Mechanism: Bypass User Account Control

Defense Evasion

T1562.001

Impair Defenses: Disable or Modify Tools

Defense Evasion

T1027

Obfuscated Files or Information

Collection

T1056.001

Input Capture: Keylogging

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

Control ID: 6.2

The incident exploited vulnerabilities in mobile applications, indicating a failure to protect system components from known vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The attack suggests inadequacies in the organization's cybersecurity policy, particularly in addressing mobile application security.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights deficiencies in the ICT risk management framework, especially concerning mobile application vulnerabilities.

CISA ZTMM 2.0 – User and Device Authentication

Control ID: 3.1

The incident underscores the need for robust user and device authentication mechanisms to prevent unauthorized access via mobile applications.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The attack reveals gaps in cybersecurity risk management measures, particularly in securing mobile applications against exploitation.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

Mobile application vulnerabilities in communication platforms threaten encrypted traffic and egress security, risking data exfiltration and regulatory compliance violations.

Health Care / Life Sciences

WhatsApp and messaging app hijacking could compromise patient data through poisoned notifications, violating HIPAA requirements for secure communications.

Information Technology/IT

Android Gemini voice assistant hijacking exposes multicloud visibility gaps and zero trust segmentation weaknesses in enterprise mobile security architectures.

Government Administration

Notification-based attacks on government mobile devices could enable lateral movement and command control through compromised voice assistants and messaging platforms.

Sources

WhatsApp, Slack Notifications Could Hijack Google Gemini on Androidhttps://thehackernews.com/2026/06/whatsapp-slack-notifications-could.html
Verified

Android is letting Google's AI access WhatsApp, texts, and calls – unless you change your settingshttps://www.techspot.com/news/108602-android-letting-google-ai-access-whatsapp-texts-calls.html

Verified

Google Gemini can now read your WhatsApp chats without you knowing – but you can stop ithttps://www.techradar.com/vpn/vpn-privacy-security/google-gemini-can-now-read-your-whatsapp-chats-without-you-knowing-but-you-can-stop-it

Verified

Frequently Asked Questions

Attackers could open windows, send fake messages, initiate calls, or alter the assistant's memory without user consent.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to exploit the voice assistant by enforcing strict segmentation and identity-aware controls, thereby reducing the potential blast radius.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit the voice assistant may be constrained by enforcing strict identity-aware controls, reducing unauthorized command execution.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges may be constrained by enforcing strict segmentation, reducing unauthorized command execution.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally may be constrained by enforcing east-west traffic security, reducing unauthorized interactions between applications.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to maintain control may be constrained by enforcing multicloud visibility and control, reducing unauthorized command execution.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate data may be constrained by enforcing egress security and policy enforcement, reducing unauthorized data transmission.

Impact (Mitigations)

The attacker's ability to cause impact may be constrained by enforcing strict segmentation and identity-aware controls, reducing unauthorized actions.

Impact at a Glance

Affected Business Functions

Mobile Device Security
User Privacy Management
Application Security

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential unauthorized access to personal communications and control over connected devices.

Recommended Actions

• Implement strict input validation and sanitization for all data processed by voice assistants to prevent command injection.
• Enhance monitoring and anomaly detection to identify and respond to unusual assistant behaviors promptly.
• Educate users on the risks of processing unsolicited notifications and encourage cautious interaction with voice assistants.
• Regularly update and patch voice assistant software to address known vulnerabilities and improve security measures.
• Develop and enforce policies that limit the assistant's ability to perform high-risk actions without additional user verification.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Vulnerability: Malicious Notifications Hijack Google Gemini on Android

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Spearphishing Attachment

User Execution: Malicious File

Command and Scripting Interpreter: Windows Command Shell

Valid Accounts: Local Accounts

Abuse Elevation Control Mechanism: Bypass User Account Control

Impair Defenses: Disable or Modify Tools

Obfuscated Files or Information

Input Capture: Keylogging

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – User and Device Authentication

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Information Technology/IT

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads