13-06-2025
Do Not Click These Notifications On Your Phone
More links you cannot click.
A surprise warning for Android users heading into the weekend. It turns out on-screen notification links for even the most popular apps on your phone can be hijacked by attackers and used to redirect you to malicious websites or even to malware.
Android Authority picked up the security warning from security researcher Gabriele Digregorio, and warns 'until Google issues a fix, it's safest to avoid using the 'Open link' button' within on-screen notifications, 'and open links manually in the app.'
In his blog post, Digregorio explains that 'Android notifications do not properly handle some Unicode characters, leading to inconsistencies between what is displayed and what is used by the automatic 'Open Link' suggestions. This may trick users into opening a different link from the one shown in the notification.'
FBI Confirms iPhone And Android Warning—Delete All These Texts
That's dangerous, because the flaw 'can be exploited for phishing or to trigger app links and deep links.' Per Android Authority, even though 'Google was notified about the bug in March, [it] hasn't patched it yet.' The disclosure confirms that 'the issue still affects phones running Android 14, 15, and 16, including the Pixel 9 Pro.'
'If you regularly use an Android device,' Digregorio says, 'you may have noticed that notifications often include suggestions based on their content. This is particularly common — and useful — when the notifications come from messaging apps, where the system automatically suggests actions such as quick replies or opening a link.'
Apple Warns Protesters With Stolen iPhones — You Are Being Tracked
The blog post demonstrates that while 'developers do not explicitly implement this feature,' which is 'provided automatically by Android's notification system,' it affected apps including 'WhatsApp, Telegram, Instagram, Discord and Slack.' The notification itself is fine, it's the embedded link that's open to exploitation.
As Android Authority explains, 'the system might show you a link to but when you tap 'Open link', it subtly takes you to instead.' This is because 'an invisible character was used to split the word into two.' Even though 'Android displayed the full address,' only was used 'as the actual link.'
It's tricky to avoid tapping notification links, but if it's an unexpected link, I would agree with Android Authority and recommend opening the app itself and going directly to the source. This will vey likely be fixed now that it's in the public domain and open to exploitation. I have reached out to Google to confirm.
