Joe Mark / Android Authority
tl; drag
- Android notifications can cause a different link to a Big “Open Link” button.
- The hidden characters in messages can confuse the system, causing it to open a link that only makes a part of the display notification.
- Unless Google releases a fine, the “Open Link” button is the safest one to avoid opening the link in the app.
You want to think twice before tapping this link in your Android notifications, even if it looks safe. A newly discovered bug means that the link you see in the notification may not be what you are actually opening, and potentially dangerous consequences.
In a clear and detailed blog post, security researcher Gabriel Degree Gorio has stated how the “Open Link” button of Android appears in notifications from apps such as WhatsApp, Instagram, or Silk – to send users to a different website. This trick includes entering the hidden unicode characters, which is the link to the notification text, when deciding which the link is to fool Android in reading the text differently.
For example, the system can show you the link to Amazon.com, but when you tap on the “Open Link”, it takes you to Zone.com instead. This happened in the same test, where a hidden role was used to divide the word into two. Android showed the full address in the notification as it is legitimate, but only the second part (Zone.com) has been treated as the original link. Degree Goro showed this example in YouTube video below.
It is easy to see how people can be used to visit fishing sites, or even to mobilize operations within apps through deep links. An example of the Degreegoro report depicts a WhatsApp link that opens the chat with a preset message. This is a legitimate feature of the WhatsApp, but it is potentially a risk if used fraudulently. The theory, apps should always ask for confirmation before taking any action through a link. However, some don’t do this, which means that tapping the wrong link can immediately launch something.
Google was informed about the bug in March but has not yet patch it. In correspondence with the researcher, Google assessed the issue as a moderate intensity, which means that it will be focused on future updates, but it does not guarantee a separate and quick security patch. At the time of the blog publishing on Wednesday, the issue still affected Android 14, 15, and 16 -run phones, including Pixel 9 Pro. IPhones behave in different ways, highlighting suspicious links, but similar tricks are technically possible.
Unless there is a fix, the safest option is to avoid fully tapping the links made from these notification. If something looks important, open the app instead, and double check any link before they meet them.
Have a tip? Talk to us! Email our staff at News@Androidauthority.com. You can remain anonymous or get the credit for information, it’s your choice.
