A researcher at SafeBreach, Or Yair, identified a new attack method called Fake Context Alignment, which allows malicious actors to exploit Google’s Gemini voice assistant via WhatsApp notifications. This method involves using indirect prompt injection through hidden foreign-language text in notifications, creating a way to manipulate the assistant’s responses.
Furthermore, the attack can bypass Google’s defenses, enabling attackers to control smart home devices, initiate Zoom calls, and even alter Gemini's long-term memory without needing extensive knowledge about the victim. Yair demonstrated this capability using various techniques, including subtle prompts in different languages and muted hyperlinks. Despite Google addressing some vulnerabilities, the report emphasizes the ongoing risks associated with voice assistants processing untrusted content.