Joe Maring / Android Authority
TL;DR
- A bug in Android notifications may cause the “Open hyperlink” button to open a special hyperlink than the one displayed.
- Hidden characters within the messages can confuse the system, inflicting it to open a hyperlink that solely makes up part of the one within the displayed notification.
- Till Google points a repair, it’s most secure to keep away from utilizing the “Open hyperlink” button and open hyperlinks manually within the app.
Replace, June 13, 2025 (5:19 PM ET): Google has reached out to Android Authority with a touch upon this researcher’s findings. A spokesperson tells us:
We’re conscious of this analysis and we’re actively engaged on a repair for this subject that might be rolling out in a future safety replace. As common greatest safety observe, we all the time advise customers to keep away from clicking on hyperlinks from unknown or suspicious message senders.
That’s stable recommendation, and we look ahead to seeing Google’s mitigation in motion as soon as the repair is prepared.
Authentic article, June 13, 2025 (11:40 AM ET): You may need to assume twice earlier than tapping that hyperlink in your Android notifications, even when it appears secure. A newly found bug implies that the hyperlink you see within the notification won’t be the one you’re really opening, and the doubtless harmful penalties are obvious.
In a transparent and detailed blog post, safety researcher Gabriele Digregorio lays out how Android’s “Open hyperlink” button — the one which reveals up in notifications from apps like WhatsApp, Instagram, or Slack — will be manipulated to ship customers to a very completely different web site than the one proven. The trick entails inserting hidden Unicode characters right into a message, which may idiot Android into studying the textual content in a different way when deciding which a part of the notification textual content is the hyperlink.
For instance, the system may present you a hyperlink to Amazon.com, however once you faucet “Open hyperlink,” it subtly takes you to zon.com as a substitute. That’s precisely what occurred in a single check, the place an invisible character was used to separate the phrase into two. Android displayed the total tackle within the notification as if it have been legit, however handled solely the second half (zon.com) because the precise hyperlink. Digregorio demonstrates this instance within the YouTube video under.
It’s simple to see how this might be used to trick individuals into visiting phishing websites, and even to set off actions inside apps through deep hyperlinks. One instance in Digregorio’s report reveals a WhatsApp hyperlink that opens a chat with a preset message. It is a legit WhatsApp characteristic, nevertheless it’s probably dangerous if used deceptively. In principle, apps ought to all the time ask for affirmation earlier than finishing up any motion triggered by a hyperlink. Nonetheless, some don’t, which implies tapping the incorrect hyperlink may launch one thing immediately.
Google was notified concerning the bug in March however hasn’t patched it but. In correspondence with the researcher, Google assessed the difficulty as reasonable severity, which seems to imply it will likely be addressed in a future replace, however doesn’t warrant a separate and speedy safety patch. On the time of the weblog’s publication on Wednesday, the difficulty nonetheless affected telephones working Android 14, 15, and 16, together with the Pixel 9 Professional. iPhones behave in a different way, highlighting suspicious hyperlinks extra clearly, however related tips are technically attainable.
Till a repair arrives, the most secure possibility is to keep away from tapping these notification-generated hyperlinks altogether. If one thing appears necessary, open the app straight as a substitute, and double-check any hyperlinks earlier than you go to them.
