Joe Maring / Android authority
Tl; DR
- A bug in Android notifications can lead to the opening of the “Open the link” button a different link from that displayed.
- The characters hidden in the messages can confuse the system, which makes it open a link which is only part of that of the displayed notification.
- Until Google delivers a correction, it is the surest to avoid using the “Open the link” button and open the links manually in the application.
Update, June 13, 2025 (5:19 pm HE): Google contacted Android Authority with a comment on the results of this researcher. A spokesperson tells us:
We are aware of this research and we actively work on a corrective for this problem which will be deployed in a future security update. As the best general security practice, we always advise users to avoid clicking on links from sender of unknown or suspect messages.
It is solid advice, and we look forward to seeing Google’s attenuation in action once the fix is ready.
Original article, June 13, 2025 (11:40 a.m.): You may want to think twice before typing this link in your Android notifications, even if it seems safe. A newly discovered bug means that the link you see in the notification may not be the one you really open, and the potentially dangerous consequences are apparent.
In a clear and detailed blogThe security researcher Gabriele Digregorio exposes how the “Open the Link” button of Android – the one that appears in notifications from applications like WhatsApp, Instagram or Slack – can be manipulated to send users to a website completely different from that shown. The trick is to insert unicode characters hidden in a message, which can deceive Android to read the text differently when it decides what part of the notification text is the link.
For example, the system can show you a link to Amazon.com, but when you press “Open the link”, it subtly takes you to Zon.com instead. This is exactly what happened in a test, where an invisible character was used to divide the word in two. Android displayed the full address in the notification as if it were legitimate, but only dealt with the second part (zon.com) as a real link. Digregio shows this example in the YouTube video below.
It is easy to see how it could be used to encourage people to visit phishing sites, or even to trigger actions inside applications via deep links. An example of the Digregio report shows a WhatsApp link which opens a conversation with a predefined message. This is a legitimate WhatsApp characteristic, but it is potentially risky if used in a misleading way. In theory, applications must always request confirmation before performing any action triggered by a link. However, some do not do so, which means that the fact of the bad link could launch something instantly.
Google was informed of the bug in March, but has not yet corrected it. In correspondence with the researcher, Google has evaluated the problem as a moderate gravity, which seems to mean that it will be addressed in a future update, but does not justify a separate and immediate security fix. When the blog is published on Wednesday, the problem has always affected the phones running Android 14, 15 and 16, including the Pixel 9 Pro. Iphones behave differently, highlighting the suspicious links more clearly, but similar tips are technically possible.
Until a correction arrives, the safest option is to avoid completely typing these links generated by notification. If something seems important, open the application directly instead and check the links before visiting them.
