The Bottom Line: Prompt injection vulnerability in Google Gemini Voice Assistant enables hidden malicious commands through manipulated notifications, potentially leading to social engineering and data misuse.
A prompt injection vulnerability in Google Gemini’s voice assistant allows attackers to covertly inject commands into notifications and conduct social engineering attacks. The vulnerability enables manipulation of AI outputs through malicious inputs.
Google Gemini is affected by a prompt injection flaw in its voice function. Attackers can hide malicious commands in system notifications that the voice assistant processes. Because the assistant treats these notifications as trusted system information, it executes the embedded malicious instructions.
This attack vector enables social engineering campaigns: An attacker can generate manipulated notifications that trick users into disclosing sensitive data, authorizing payments, or performing unauthorized actions. The request appears to be a legitimate system note.
For CISOs, this represents a new risk in the supply chain security of users who deploy Gemini in a business context. Voice interfaces are more difficult to monitor than graphical inputs, which complicates detection of attacks of this type. It is recommended to raise user awareness of the threat and review which Gemini functions are permitted in the enterprise environment.
Source: www.darkreading.com · Published June 3, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.