Indirect Prompt Injection Attacks Against LLM Assistants

This research describes practical "Promptware" prompt-injection attacks against Gemini-powered assistants using indirect vectors (emails, calendar invites, shared documents) to achieve context/memory poisoning, tool misuse, automatic agent/app invocation, and on-device lateral movement; 14 attack scenarios are demonstrated with potential outcomes including data exfiltration, phishing, disinformation, unauthorized streaming, and smart-home control, and Google deployed mitigations after disclosure.