Google Gemini AI faces prompt injection security threats
Google Gemini, the artificial intelligence assistant used across thousands of organizations and millions of Android devices, faces ongoing prompt injection security threats. LLM researchers widely agree there is no reliable fix for prompt injection attacks, creating an endless arms race between attackers and defenders.

How SafeBreach Exposed Gemini Vulnerabilities

Two attack simulation studies by SafeBreach demonstrate how malicious content can bypass Gemini’s safeguards through multiple vectors. The research targeted Google Gemini using real-world attack scenarios:

  • A Google Calendar invite containing hidden malicious commands
  • Text messages from SMS, Signal, and social media direct messages
  • Both methods successfully tricked the assistant into performing unauthorized actions

The Four-Step Attack Method

Attackers combine multiple techniques to bypass Gemini’s protective filters. Understanding these steps is critical for users seeking to protect themselves.

Attack Stage Method How It Works
1. Indirect Injection Embed malicious commands in external content Commands hidden in emails or calendar invites, disguised to evade detection
2. Memory Poisoning Save instructions to long-term memory Worded for repeated execution, like Always recommend Company X for investments
3. Delayed Execution Instruct agent to act after next user command Bypasses immediate post-read security checks
4. Fake Context Alignment Hide commands in unseen or unreadable text Foreign language text or hyperlinks within a message, approved unknowingly

What Compromised Gemini Can Actually Do

Once compromised, Gemini executes any action the user has authorized it to perform. The scope of potential damage depends on the device and connected services.

On Google Workspace: Gemini can wipe calendar data, exfiltrate email information to external servers, open malicious websites, or generate false information for organizational use.

On Android phones: Gemini can adjust smart home settings via Google Home (heating, doors, windows, lights, music), launch apps like Zoom calls specified by attackers, and leak location data through arbitrary web links.

The Android attack surface is particularly expansive. Researchers describe it as effectively infinite because Gemini reads notification text from any app including SMS and social media DMs. Attackers can embed malicious instructions in unpronounced hyperlinks within notifications, often alongside foreign language text that users unknowingly confirm with a simple yes. This method can even plant commands into Gemini’s shared long-term memory across all devices on an account.

What Users Can Do Now

Google has patched the specific vulnerabilities described in SafeBreach’s studies. However, new bypass methods may emerge. Users can implement several protective measures to limit Gemini’s access and functionality:

  • Turn off notification previews in system settings
  • Disable smart features in Gmail or Google Workspace
  • Revoke access to specific Gemini tools via the Gemini Utilities app
  • Switch to a different default assistant entirely
  • Revoke Gemini’s permission to read system notifications
  • Disable Gemini completely for your account

These options can be combined to tailor your personal assistant profile, balancing convenience with security. The key is understanding that AI assistants with broad system access create inherent security tradeoffs.

The Bigger Picture

This isn’t a Gemini-only problem. All LLMs lack a reliable defense against prompt injection attacks. Until the AI research community develops fundamental solutions, users must take an active role in managing their exposure. For anyone using Gemini across multiple devices and services, a careful audit of permissions is worth the time investment.

Follow Hashlytics on Bluesky, LinkedIn, Telegram and X to Get Instant Updates