SafeBreach: 'Fake Context Alignment' Lets WhatsApp and Slack Notifications Silently Hijack Google Gemini's Android Voice Assistant

SafeBreach researcher Or Yair publicly disclosed a new class of indirect prompt injection called 'Fake Context Alignment' that lets attackers embed malicious commands inside WhatsApp, Slack, Signal, SMS, or Messenger notifications, silently hijacking Google Gemini's Android voice assistant to open smart-home devices, force live video streaming, create persistent daily surveillance tasks, and poison long-term Workspace memory — with no malicious app installation required. The bypass uses two techniques: a foreign-language concealment trick (Gemini reads a Chinese-language authorization question aloud, the user responds 'Yes' to what looks like a glitch, and the backend maps that affirmative to the hidden command) and muted-hyperlink injection (malicious authorization prompts buried in links Gemini never reads aloud). Google confirmed server-side content-classifier mitigations in November 2025 after SafeBreach's responsible disclosure in August 2025; the full technical write-up was published in June 2026 with no evidence of in-the-wild exploitation.