- A bug in Android notifications can cause the “Open link” button to open a different link than the one displayed.
- Hidden characters in the messages can confuse the system, causing it to open a link that only makes up a part of the one in the displayed notification.
- Until Google issues a fix, it’s safest to avoid using the “Open link” button and open links manually in the app.
You might want to think twice before tapping that link in your Android notifications, even if it looks safe. A newly discovered bug means that the link you see in the notification might not be the one you’re actually opening, and the potentially dangerous consequences are apparent.
In a clear and detailed blog post, Security researcher Gabriele Digregorio lays out how Android’s “Open link” button — the one that shows up in notifications from apps like WhatsApp, Instagram, or Slack — can be manipulated to send users to a completely different website than the one shown. The trick involves inserting hidden Unicode characters into a message, which can fool Android into reading the text differently when deciding which part of the notification text is the link.