Joe Maring / Android Authority
TL;DR
- A bug in Android notifications may cause the “Open hyperlink” button to open a special hyperlink than the one displayed.
- Hidden characters within the messages can confuse the system, inflicting it to open a hyperlink that solely makes up part of the one within the displayed notification.
- Till Google points a repair, it’s most secure to keep away from utilizing the “Open hyperlink” button and open hyperlinks manually within the app.
Replace, June 13, 2025 (5:19 PM ET): Google has reached out to Android Authority with a touch upon this researcher’s findings. A spokesperson tells us:
We’re conscious of this analysis and we’re actively engaged on a repair for this concern that can be rolling out in a future safety replace. As basic greatest safety follow, we all the time advise customers to keep away from clicking on hyperlinks from unknown or suspicious message senders.
That’s stable recommendation, and we stay up for seeing Google’s mitigation in motion as soon as the repair is prepared.
Unique article, June 13, 2025 (11:40 AM ET): You may wish to suppose twice earlier than tapping that hyperlink in your Android notifications, even when it seems to be protected. A newly found bug signifies that the hyperlink you see within the notification won’t be the one you’re truly opening, and the possibly harmful penalties are obvious.
In a transparent and detailed weblog publish, safety researcher Gabriele Digregorio lays out how Android’s “Open hyperlink” button — the one which exhibits up in notifications from apps like WhatsApp, Instagram, or Slack — could be manipulated to ship customers to a very completely different web site than the one proven. The trick includes inserting hidden Unicode characters right into a message, which might idiot Android into studying the textual content in another way when deciding which a part of the notification textual content is the hyperlink.
For instance, the system may present you a hyperlink to Amazon.com, however while you faucet “Open hyperlink,” it subtly takes you to zon.com as a substitute. That’s precisely what occurred in a single take a look at, the place an invisible character was used to separate the phrase into two. Android displayed the total deal with within the notification as if it had been legit, however handled solely the second half (zon.com) because the precise hyperlink. Digregorio demonstrates this instance within the YouTube video beneath.
It’s simple to see how this might be used to trick folks into visiting phishing websites, and even to set off actions inside apps by way of deep hyperlinks. One instance in Digregorio’s report exhibits a WhatsApp hyperlink that opens a chat with a preset message. This can be a reputable WhatsApp characteristic, nevertheless it’s doubtlessly dangerous if used deceptively. In principle, apps ought to all the time ask for affirmation earlier than finishing up any motion triggered by a hyperlink. Nevertheless, some don’t, which implies tapping the unsuitable hyperlink might launch one thing immediately.
Google was notified concerning the bug in March however hasn’t patched it but. In correspondence with the researcher, Google assessed the problem as reasonable severity, which seems to imply it is going to be addressed in a future replace, however doesn’t warrant a separate and rapid safety patch. On the time of the weblog’s publication on Wednesday, the problem nonetheless affected telephones operating Android 14, 15, and 16, together with the Pixel 9 Professional. iPhones behave in another way, highlighting suspicious hyperlinks extra clearly, however comparable tips are technically attainable.
Till a repair arrives, the most secure choice is to keep away from tapping these notification-generated hyperlinks altogether. If one thing seems to be vital, open the app immediately as a substitute, and double-check any hyperlinks earlier than you go to them.
