SafeBreach flaw lets attackers hijack Gemini voice assistant via notifications

Security firm SafeBreach disclosed a critical vulnerability allowing attackers to hijack Google's Gemini voice assistant by abusing messaging notifications — effectively a prompt-injection vector delivered through content the assistant processes. Researchers demonstrated triggering smart-home actions and even initiating Zoom calls without the user's intent.

The mechanism is the crux of the broader agentic-AI security problem: an assistant that reads incoming notifications and acts on them can be steered by adversarial text embedded in those notifications. Because Gemini was just made the default assistant across Android, the blast radius is large — exactly the ubiquity-multiplies-risk tradeoff Google's 'default everywhere' strategy invites.

The disclosure lands in a week thick with AI security stories: an open-weight 'BYO LLM' worm prototype, an AI agent surfacing 21 zero-days in FFmpeg, and OpenAI broadening its defensive Lockdown Mode. Together they sketch the central tension — the same agent autonomy that makes assistants useful makes them exploitable.

What to watch: Google's patch and whether it addresses the root cause (action-gating on untrusted content) versus a narrow fix, plus whether regulators take interest given the smart-home physical-world implications. The episode reinforces that prompt injection remains unsolved for assistants that bridge messaging and device control.