Redazione RHC : 15 August 2025 13:41
Google developers have fixed a bug that allowed malicious Google Calendar invitations to remotely take control of Gemini agents running on the victim’s device and steal user data. Gemini is Google’s Large Language Model (LLM) integrated into Android apps.
SafeBreach researchers discovered that by sending the victim an invitation with an embedded Google Calendar prompt (which could be hidden, for example, in the event title), attackers were able to extract email content and calendar information, track the user’s location, control smart home devices via Google Home, open Android apps, and initiate Zoom video calls.
In their report, the experts emphasize that such an attack did not require access to a white-box model and was not blocked by rapid filters and other Gemini defense mechanisms.
The attack begins by sending the victim an invitation to an event via Google Calendar, the title of which contains a malicious message. Once the victim interacted with Gemini, for example by asking “What events are scheduled on my calendar today?”, the AI downloaded a list of events from Calendar, including the malicious one.
As a result, the malicious prompt became part of Gemini’s context window, and the assistant perceived it as part of the conversation, unaware that the instruction was hostile to the user.
Depending on the prompt used, attackers could launch various tools or agents to delete or modify Calendar events, open URLs to determine the victim’s IP address, join Zoom calls, use Google Home to control devices and access emails, and exfiltrate data.
Researchers observed that an attacker could send six invitations, including the malicious prompt only in the last one, to ensure the attack works while maintaining a certain level of stealth.
The problem is that Calendar Events only displays the latest five events, while the others are hidden under the “Show More” button. However, when requested, Gemini analyzes all of them, including the malicious one. At the same time, the user won’t see the malicious name unless they manually expand the list of events.
Google responded to the SafeBreach report by stating that the company is continuously implementing new defenses for Gemini to counter a wide range of attacks, and that many of the measures are planned for imminent implementation or are already in the process of being implemented.
Redazione