Joe Maring / Android Authority
TL;DR
- A bug in Android notifications can cause the âOpen linkâ button to open a different link than the one displayed.
- Hidden characters in the messages can confuse the system, causing it to open a link that only makes up a part of the one in the displayed notification.
- Until Google issues a fix, itâs safest to avoid using the âOpen linkâ button and open links manually in the app.
Update, June 13, 2025 (5:19 PM ET): Google has reached out to Android Authority with a comment on this researcherâs findings. A spokesperson tells us:
We are aware of this research and we are actively working on a fix for this issue that will be rolling out in a future security update. As general best security practice, we always advise users to avoid clicking on links from unknown or suspicious message senders.
Thatâs solid advice, and we look forward to seeing Googleâs mitigation in action once the fix is ready.
Original article, June 13, 2025 (11:40 AM ET):Â You might want to think twice before tapping that link in your Android notifications, even if it looks safe. A newly discovered bug means that the link you see in the notification might not be the one youâre actually opening, and the potentially dangerous consequences are apparent.
In a clear and detailed blog post, security researcher Gabriele Digregorio lays out how Androidâs âOpen linkâ button â the one that shows up in notifications from apps like WhatsApp, Instagram, or Slack â can be manipulated to send users to a completely different website than the one shown. The trick involves inserting hidden Unicode characters into a message, which can fool Android into reading the text differently when deciding which part of the notification text is the link.
For example, the system might show you a link to Amazon.com, but when you tap âOpen link,â it subtly takes you to zon.com instead. Thatâs exactly what happened in one test, where an invisible character was used to split the word into two. Android displayed the full address in the notification as if it were legit, but treated only the second part (zon.com) as the actual link. Digregorio demonstrates this example in the YouTube video below.
Itâs easy to see how this could be used to trick people into visiting phishing sites, or even to trigger actions inside apps via deep links. One example in Digregorioâs report shows a WhatsApp link that opens a chat with a preset message. This is a legitimate WhatsApp feature, but itâs potentially risky if used deceptively. In theory, apps should always ask for confirmation before carrying out any action triggered by a link. However, some donât, which means tapping the wrong link could launch something instantly.
Google was notified about the bug in March but hasnât patched it yet. In correspondence with the researcher, Google assessed the issue as moderate severity, which appears to mean it will be addressed in a future update, but doesnât warrant a separate and immediate security patch. At the time of the blogâs publication on Wednesday, the issue still affected phones running Android 14, 15, and 16, including the Pixel 9 Pro. iPhones behave differently, highlighting suspicious links more clearly, but similar tricks are technically possible.
Until a fix arrives, the safest option is to avoid tapping these notification-generated links altogether. If something looks important, open the app directly instead, and double-check any links before you visit them.
