Joe Maring / Android Authority
TL;DR
- A bug in Android notifications could cause the “Open hyperlink” button to open a unique hyperlink than the one displayed.
- Hidden characters within the messages can confuse the system, inflicting it to open a hyperlink that solely makes up part of the one within the displayed notification.
- Till Google points a repair, it’s most secure to keep away from utilizing the “Open hyperlink” button and open hyperlinks manually within the app.
Replace, June 13, 2025 (5:19 PM ET): Google has reached out to Android Authority with a touch upon this researcher’s findings. A spokesperson tells us:
We’re conscious of this analysis and we’re actively engaged on a repair for this challenge that can be rolling out in a future safety replace. As basic greatest safety apply, we all the time advise customers to keep away from clicking on hyperlinks from unknown or suspicious message senders.
That’s strong recommendation, and we look ahead to seeing Google’s mitigation in motion as soon as the repair is prepared.
Authentic article, June 13, 2025 (11:40 AM ET): You may wish to suppose twice earlier than tapping that hyperlink in your Android notifications, even when it seems secure. A newly found bug implies that the hyperlink you see within the notification won’t be the one you’re really opening, and the doubtless harmful penalties are obvious.
In a transparent and detailed weblog publish, safety researcher Gabriele Digregorio lays out how Android’s “Open hyperlink” button — the one which exhibits up in notifications from apps like WhatsApp, Instagram, or Slack — will be manipulated to ship customers to a totally totally different web site than the one proven. The trick entails inserting hidden Unicode characters right into a message, which might idiot Android into studying the textual content otherwise when deciding which a part of the notification textual content is the hyperlink.
For instance, the system may present you a hyperlink to Amazon.com, however once you faucet “Open hyperlink,” it subtly takes you to zon.com as an alternative. That’s precisely what occurred in a single check, the place an invisible character was used to separate the phrase into two. Android displayed the complete tackle within the notification as if it had been legit, however handled solely the second half (zon.com) because the precise hyperlink. Digregorio demonstrates this instance within the YouTube video beneath.
It’s simple to see how this could possibly be used to trick folks into visiting phishing websites, and even to set off actions inside apps by way of deep hyperlinks. One instance in Digregorio’s report exhibits a WhatsApp hyperlink that opens a chat with a preset message. This can be a official WhatsApp characteristic, nevertheless it’s probably dangerous if used deceptively. In principle, apps ought to all the time ask for affirmation earlier than finishing up any motion triggered by a hyperlink. Nevertheless, some don’t, which implies tapping the mistaken hyperlink may launch one thing immediately.
Google was notified concerning the bug in March however hasn’t patched it but. In correspondence with the researcher, Google assessed the problem as reasonable severity, which seems to imply it is going to be addressed in a future replace, however doesn’t warrant a separate and instant safety patch. On the time of the weblog’s publication on Wednesday, the problem nonetheless affected telephones operating Android 14, 15, and 16, together with the Pixel 9 Professional. iPhones behave otherwise, highlighting suspicious hyperlinks extra clearly, however comparable tips are technically potential.
Till a repair arrives, the most secure choice is to keep away from tapping these notification-generated hyperlinks altogether. If one thing seems vital, open the app immediately as an alternative, and double-check any hyperlinks earlier than you go to them.
