Gemini Exposed to Indirect Prompt Injection Through Messaging Apps
While Google’s Gemini serves as a helpful voice assistant, it might also carry hidden security risks. A case has come to light showing that the attackers can silently hijack the AI assistant through indirect prompt injection in messaging apps. The good news is that the company has already deployed fixes after researchers reported the issue.
Gemini could be tricked using hidden instructions in Messages
SafeBreach Labs researchers discovered a new security vulnerability that allows attackers to exploit Gemini. The attack involves pushing indirect prompt injection through normal messages sent via SMS, WhatsApp, Slack, Signal, Instagram, Messenger, and more. These messages contain hidden malicious instructions to influence the AI system.
When Gemini processes the poisoned notification, it may take the instructions in its working context without the user’s knowledge. As such, attackers can poison the conversation and change Gemini’s output to trick users into taking more serious actions.
For example, if an attacker knows the name of a victim’s manager, they can send a malicious WhatsApp message that forces Gemini to announce when asked to read notifications. As a result, users may accept the voice instruction without question. This can happen mainly when they are not looking at their phone, such as while driving.
Furthermore, this attack can work without knowing any specific names in advance. The injected instructions can tell Gemini to pick a real sender name from recent notifications and attach a fake message to it. This allows attackers to automatically impersonate real contacts.
SafeBreach Labs reported the vulnerability to the Google Vulnerability Reward Program (VRP) on August 17, 2025. “On November 14, 2025, Google confirmed that recent improvements to their content classifier successfully mitigated the indirect prompt injections and Delayed Tool Invocation scenarios detailed in this research,” said Or Yair, Security Research Team Lead.
If you want to read the technical breakdown of this vulnerability, you can read SafeBreach’s blog post.
Follow us on Google Discover & set us as a preferred source in Google News
Share this Post
___________________________
New Blog Posts
___________________________
One UI 8.5 Stable Now Rolling Out to These Galaxy Devices
The update should expand to more budget and midrange models soon
Galaxy Z Flip 8 Tipped for Exynos and Snapdragon Split
The phone phone could adopt a regional dual-chip approach
Samsung Notes Update Enhances Productivity with Three Practical Additions
Smarter paste behavior and sort options
