The SafeBreach disclosure reveals how Android's Gemini Utilities feature ingests notifications from WhatsApp, Slack, SMS and other apps as executable context, enabling indirect prompt injection without any malicious app on the device. This extends the team's prior 'Invitation Is All You Need' calendar attack by bypassing Google's post-mitigation authorization checks through Fake Context Alignment: an obfuscated non-English authorization prompt hidden behind muted TTS links that lets a spoken 'Yes' authorize actions like opening smart-home windows or forcing Zoom joins. The vector is Android-exclusive due to notification access, yet its 'effectively infinite' surface—any push notification from any service—creates persistent risks of memory poisoning, credentialed action spoofing, and cross-app redirection that prior coverage understates. Related research, including arXiv studies on LLM-integrated prompt injection and Google's own hardening attempts, shows this pattern of trusted external context overriding safety layers will recur as assistants deepen OS and IoT ties. The absence of a CVE and lack of wild exploitation do not reduce systemic exposure; they underscore how notification channels remain an under-scrutinized integration point across consumer AI deployments.