Instagram, Google, Signal and Google Home: New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS

Instagram, Google, Signal and Google Home: New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS

New Indirect Prompt Injection Attacks Hijack Google Gemini via Messaging Apps

Researchers at SafeBreach, led by Security Research Team Lead Or Yair, have uncovered a novel class of indirect prompt injection (IPI) attacks targeting Google Gemini’s voice assistant, enabling silent hijacking through malicious payloads delivered via everyday messaging platforms including WhatsApp, Slack, Signal, SMS, Instagram, and Messenger.

The exploit leverages Gemini’s Android Utilities agent, which processes incoming notifications from third-party apps. Attackers embed malicious instructions in crafted messages, which Gemini then incorporates into its conversational context without user awareness. This allows for context poisoning, where the AI can be manipulated to deliver phishing lures (e.g., fake error messages prompting clicks) or execute unauthorized actions.

To bypass Google’s security measures including patches for chained tool invocations and Delayed Tool Invocation SafeBreach developed Fake Context Alignment, a technique that deceives both Gemini’s backend and the user. Two variants were demonstrated:

  • Obfuscated Fake Context Alignment: A malicious question in a foreign language (e.g., Chinese) is followed by a benign English prompt. The user’s "Yes" response to the English question unknowingly authorizes the hidden instruction.
  • Muted Fake Context Alignment: A malicious question is embedded as clickable link text, skipped by Gemini’s text-to-speech engine, while the user hears only a harmless voice prompt.

Combining these methods into an "Ultimate Combo" payload reliably bypassed Google’s defenses, enabling high-severity exploits. Researchers demonstrated remote control of smart home devices (e.g., windows, boilers, lighting via Google Home), covert video streaming (forcing Zoom to stream a victim’s camera via a 301 redirect from a trusted domain), and large-scale social engineering (fabricating messages from trusted contacts using extracted sender names).

Additional risks include persistent memory poisoning, where false data is injected into Gemini’s long-term memory across a victim’s Google Workspace, and scheduled surveillance, where recurring tasks automatically read recent messages.

SafeBreach disclosed the findings to Google’s Vulnerability Reward Program on August 17, 2025. Google confirmed on November 14, 2025, that updated content classifier improvements had mitigated the indirect prompt injection and Delayed Tool Invocation vulnerabilities.

Source: https://cybersecuritynews.com/google-gemini-vulnerability-exploited/

Instagram TPRM report: https://www.rankiteo.com/company/meta

Google TPRM report: https://www.rankiteo.com/company/google

Signal TPRM report: https://www.rankiteo.com/company/signalx-ai

Google Home TPRM report: https://www.rankiteo.com/company/google

"id": "metsiggoo1780511120",
"linkid": "meta, signalx-ai, google",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'customers_affected': 'Google Gemini users',
                        'industry': 'Technology/Software',
                        'name': 'Google',
                        'size': 'Large',
                        'type': 'Technology Company'}],
 'attack_vector': ['Messaging Apps (WhatsApp, Slack, Signal, SMS, Instagram, '
                   'Messenger)',
                   'Google Gemini’s Android Utilities Agent'],
 'data_breach': {'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['User messages',
                                              'Sender names',
                                              'Google Workspace data']},
 'date_detected': '2025-08-17',
 'date_resolved': '2025-11-14',
 'description': 'Researchers at SafeBreach uncovered a novel class of indirect '
                'prompt injection (IPI) attacks targeting Google Gemini’s '
                'voice assistant, enabling silent hijacking through malicious '
                'payloads delivered via messaging platforms like WhatsApp, '
                'Slack, Signal, SMS, Instagram, and Messenger. The exploit '
                'leverages Gemini’s Android Utilities agent to process '
                'malicious instructions embedded in messages, leading to '
                'context poisoning, phishing lures, unauthorized actions, '
                'remote control of smart home devices, covert video streaming, '
                'and social engineering attacks.',
 'impact': {'brand_reputation_impact': 'High',
            'data_compromised': ['User messages',
                                 'Sender names',
                                 'Google Workspace data'],
            'identity_theft_risk': 'High',
            'operational_impact': ['Unauthorized control of smart home devices',
                                   'Covert video streaming',
                                   'Social engineering attacks'],
            'systems_affected': ['Google Gemini Voice Assistant',
                                 'Google Home',
                                 'Zoom',
                                 'Google Workspace']},
 'investigation_status': 'Resolved',
 'post_incident_analysis': {'corrective_actions': ['Content classifier '
                                                   'improvements to mitigate '
                                                   'indirect prompt injection '
                                                   'and Delayed Tool '
                                                   'Invocation '
                                                   'vulnerabilities'],
                            'root_causes': ['Vulnerabilities in Google '
                                            'Gemini’s content classification '
                                            'and tool invocation mechanisms']},
 'references': [{'source': 'SafeBreach Research'}],
 'response': {'remediation_measures': 'Content classifier improvements'},
 'title': 'New Indirect Prompt Injection Attacks Hijack Google Gemini via '
          'Messaging Apps',
 'type': 'Indirect Prompt Injection (IPI) Attack',
 'vulnerability_exploited': ['Context Poisoning',
                             'Fake Context Alignment',
                             'Obfuscated Fake Context Alignment',
                             'Muted Fake Context Alignment',
                             'Delayed Tool Invocation']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.