![\"Notifications](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/05\/one-ui-7-notifications-split-design-hero-scaled.jpg\"\/ "\\"one")
<\/p>\n<\/p>\n
Joe Maring \/ Android Authority<\/p>\n
TL;DR<\/p>\n
Update, June 13, 2025 (5:19 PM ET):<\/strong> Google has reached out to Android Authority with a comment on this researcher\u2019s findings. A spokesperson tells us:<\/p>\n We are aware of this research and we are actively working on a fix for this issue that will be rolling out in a future security update. As general best security practice, we always advise users to avoid clicking on links from unknown or suspicious message senders.<\/p>\n<\/blockquote>\n That\u2019s solid advice, and we look forward to seeing Google\u2019s mitigation in action once the fix is ready.<\/p>\n Original article, June 13, 2025 (11:40 AM ET):<\/strong>\u00a0You might want to think twice before tapping that link in your Android notifications<\/a>, even if it looks safe. A newly discovered bug means that the link you see in the notification might not be the one you\u2019re actually opening, and the potentially dangerous consequences are apparent.<\/p>\n In a clear and detailed blog post<\/a>, security researcher Gabriele Digregorio lays out how Android\u2019s \u201cOpen link\u201d button \u2014 the one that shows up in notifications from apps like WhatsApp, Instagram, or Slack \u2014 can be manipulated to send users to a completely different website than the one shown. The trick involves inserting hidden Unicode characters into a message, which can fool Android into reading the text differently when deciding which part of the notification text is the link.<\/p>\n For example, the system might show you a link to Amazon.com, but when you tap \u201cOpen link,\u201d it subtly takes you to zon.com instead. That\u2019s exactly what happened in one test, where an invisible character was used to split the word into two. Android displayed the full address in the notification as if it were legit, but treated only the second part (zon.com) as the actual link. Digregorio demonstrates this example in the YouTube video below.<\/p>\n It\u2019s easy to see how this could be used to trick people into visiting phishing sites, or even to trigger actions inside apps via deep links. One example in Digregorio\u2019s report shows a WhatsApp<\/a> link that opens a chat with a preset message. This is a legitimate WhatsApp feature, but it\u2019s potentially risky if used deceptively. In theory, apps should always ask for confirmation before carrying out any action triggered by a link. However, some don\u2019t, which means tapping the wrong link could launch something instantly.<\/p>\n Google was notified about the bug in March but hasn\u2019t patched it yet. In correspondence with the researcher, Google assessed the issue as moderate severity, which appears to mean it will be addressed in a future update, but doesn\u2019t warrant a separate and immediate security patch. At the time of the blog\u2019s publication on Wednesday, the issue still affected phones running Android 14, 15, and 16, including the Pixel 9 Pro. iPhones behave differently, highlighting suspicious links more clearly, but similar tricks are technically possible.<\/p>\n Until a fix arrives, the safest option is to avoid tapping these notification-generated links altogether. If something looks important, open the app directly instead, and double-check any links before you visit them.<\/p>\n\n