Latest news with #Digregorio
Forbes
13-06-2025
- Forbes
Do Not Click These Notifications On Your Phone
More links you cannot click. A surprise warning for Android users heading into the weekend. It turns out on-screen notification links for even the most popular apps on your phone can be hijacked by attackers and used to redirect you to malicious websites or even to malware. Android Authority picked up the security warning from security researcher Gabriele Digregorio, and warns 'until Google issues a fix, it's safest to avoid using the 'Open link' button' within on-screen notifications, 'and open links manually in the app.' In his blog post, Digregorio explains that 'Android notifications do not properly handle some Unicode characters, leading to inconsistencies between what is displayed and what is used by the automatic 'Open Link' suggestions. This may trick users into opening a different link from the one shown in the notification.' FBI Confirms iPhone And Android Warning—Delete All These Texts That's dangerous, because the flaw 'can be exploited for phishing or to trigger app links and deep links.' Per Android Authority, even though 'Google was notified about the bug in March, [it] hasn't patched it yet.' The disclosure confirms that 'the issue still affects phones running Android 14, 15, and 16, including the Pixel 9 Pro.' 'If you regularly use an Android device,' Digregorio says, 'you may have noticed that notifications often include suggestions based on their content. This is particularly common — and useful — when the notifications come from messaging apps, where the system automatically suggests actions such as quick replies or opening a link.' Apple Warns Protesters With Stolen iPhones — You Are Being Tracked The blog post demonstrates that while 'developers do not explicitly implement this feature,' which is 'provided automatically by Android's notification system,' it affected apps including 'WhatsApp, Telegram, Instagram, Discord and Slack.' The notification itself is fine, it's the embedded link that's open to exploitation. As Android Authority explains, 'the system might show you a link to but when you tap 'Open link', it subtly takes you to instead.' This is because 'an invisible character was used to split the word into two.' Even though 'Android displayed the full address,' only was used 'as the actual link.' It's tricky to avoid tapping notification links, but if it's an unexpected link, I would agree with Android Authority and recommend opening the app itself and going directly to the source. This will vey likely be fixed now that it's in the public domain and open to exploitation. I have reached out to Google to confirm.
Android Authority
13-06-2025
- Android Authority
This Android notification exploit could trick you into opening some very unfriendly links
Joe Maring / Android Authority TL;DR A bug in Android notifications can cause the 'Open link' button to open a different link than the one displayed. Hidden characters in the messages can confuse the system, causing it to open a link that only makes up a part of the one in the displayed notification. Until Google issues a fix, it's safest to avoid using the 'Open link' button and open links manually in the app. You might want to think twice before tapping that link in your Android notifications, even if it looks safe. A newly discovered bug means that the link you see in the notification might not be the one you're actually opening, and the potentially dangerous consequences are apparent. In a clear and detailed blog post, Security researcher Gabriele Digregorio lays out how Android's 'Open link' button — the one that shows up in notifications from apps like WhatsApp, Instagram, or Slack — can be manipulated to send users to a completely different website than the one shown. The trick involves inserting hidden Unicode characters into a message, which can fool Android into reading the text differently when deciding which part of the notification text is the link. For example, the system might show you a link to but when you tap 'Open link,' it subtly takes you to instead. That's exactly what happened in one test, where an invisible character was used to split the word into two. Android displayed the full address in the notification as if it were legit, but treated only the second part ( as the actual link. Digregorio demonstrates this example in the YouTube video below. It's easy to see how this could be used to trick people into visiting phishing sites, or even to trigger actions inside apps via deep links. One example in Digregorio's report shows a WhatsApp link that opens a chat with a preset message. This is a legitimate WhatsApp feature, but it's potentially risky if used deceptively. In theory, apps should always ask for confirmation before carrying out any action triggered by a link. However, some don't, which means tapping the wrong link could launch something instantly. Google was notified about the bug in March but hasn't patched it yet. In correspondence with the researcher, Google assessed the issue as moderate severity, which appears to mean it will be addressed in a future update, but doesn't warrant a separate and immediate security patch. At the time of the blog's publication on Wednesday, the issue still affected phones running Android 14, 15, and 16, including the Pixel 9 Pro. iPhones behave differently, highlighting suspicious links more clearly, but similar tricks are technically possible. Until a fix arrives, the safest option is to avoid tapping these notification-generated links altogether. If something looks important, open the app directly instead, and double-check any links before you visit them. Got a tip? Talk to us! Email our staff at Email our staff at news@ . You can stay anonymous or get credit for the info, it's your choice.
