Overview
- SafeBreach disclosed a new attack class called Fake Context Alignment that it reported to Google on August 17, 2025 and which Google says it mitigated with content‑classifier changes on November 14, 2025.
- The technique used ordinary messaging notifications from apps like WhatsApp, Slack, SMS, Signal, Instagram, and Messenger to hide hostile instructions inside foreign‑language text or muted hyperlinks so Gemini would treat them as usable context.
- Researchers showed the method could manipulate Gemini to impersonate contacts, control Google Home appliances, force a device into a Zoom call, schedule recurring tasks, and poison the assistant’s long‑term memory without installing a malicious app.
- Google implemented server‑side fixes so no app update is required, SafeBreach reports no evidence of in‑the‑wild exploitation, and no CVE was assigned for the issue.
- Users who want extra protection can disable Gemini’s Utilities or turn off the Google app’s notification read/reply permission on Android and security experts say the case highlights the need to redesign cross‑channel trust and permission rules for agentic assistants.