Often use theLink opening directly from notifications of your Android smartphone? You would do well Attentionbecause a “bug“Of the operating system (partly also present on iOS) could leave room for ingenious attempts to phishing And scam. Let’s see what it is.
The links open by notifications may not be what they seem
As you probably know, on Android there is a useful function that automatically shows a button for Open links contained in messages: in this way it is possible to open the links directly from the notifications, without necessarily going from the application (WhatsApp, messages and so on). However, this method hides a potential problem, reported to us by a cybersecurity researcher.
Android notifications are unable to manage correctly Some characters Unicodeand this can cause inconsistencies between what is displayed and what is actually used by automatic suggestions. Through this “trick”, the attackers could open up links other than those displayed, taking advantage of the thing for Phishing attempts or even to trigger Deep Link.
In the example shown by the researcher, we can see a notification that would seem to suggest the opening of a link by Amazon (www.amazon.com), but which actually hides a nice rip -off. By touching “Open Link” you are in fact brought to the site “Zon.com“(An empty site, at the moment). How is it possible? As mentioned, the problem lies in the way Android manages some unicode characters in notifications: these characters are not filtered or elaborated in a coherent way, causing a discrepancy between what is displayed and what the engine of suggestions analyzes.
Resuming the example, the actual text of the message was “love[]Zon.com“, Where “[]“Represents an invisible unicode character (U+200b). The Android system recognizes only”Zon.com“As valid, while the user shows Amazon.com: The consequence is the opening of a link other than what is expected.
The same behavior can induce users to activate links to app or deep link with deception. Here is a clarifying example:
The actual text is “Wired.[]com/Something-HERE-[]W.ME/1234567890?text=prove“, And the system considers instead”W.ME/1234567890?text=prove“, Consequently starting WhatsApp with a pre -filled message. This happens because it recalls a Deep link inside the messaging app that opens a specific screen, in this case a chat window with the number 1234567890 and the message” provola “. This type of link could prove to be dangerous, if exploited by attacker: they can in fact be used improperly to activate unwanted behavior of the app, especially with the app. The apps that (unfortunately) do not require confirmation from the user with the Deep Link (including WhatsApp, Telegram, Instagram, Discord and Slack).
In this case it is simpler realize that something is wrongsince it comes shown the WhatsApp icon And not that of the browser. To make the attack less detectable, the attackers could however rely on Unciniati url (like Tinyurl), who redirect by hiding the real address. Here is an example in this sense: the text of the notification is “Wired.[]com/Found-Vulnerability-[]Tinyurl.com/cardarella“, With this last part that actually refers to”WhatsApp: // Call-Phone-Number? Phone = 1234567890“, That starts a WhatsApp call.
And google?
The tests were held with different models (Google Pixel 9 Pro XL with Android 16, Google Pixel 9 Pro with Android 15, Samsung Galaxy S25 with Android 15 and Samsung Galaxy S21 Ultra with Android 14), and everyone highlighted the problem. The researcher has it promptly reported to Google last 11 March 2025: The house of Mountain View cataloged it as of moderate gravity and has not yet resolved the matter.
We hope that Big G decides to put us hand as soon as possible, because the potential for dangerous phishing attacks (and not only) are all there. We advise you for now to pay more attention to the links suggested by Android: do not take for granted are legitimate, especially if they come from suspicious contacts.
We close with a note concerning iOS And iPadosjust for comparison. Something similar takes place on Apple OS, but with a very relevant detail: the system divides the URL into the invisible Unicode character, but the corresponding part of the link is formatted with a different color and underlining, making it easier for the user to identify the abnormal behavior.
For more details on the matter you can consult this link (quiet, you can trust this).
