Android notifications are integral to our daily smartphone experience, helping us stay informed about messages, calls, events, news updates, social media activity, and more at a glance. However, it looks like those same notifications also have the potential to put you in a vulnerable situation.
No, the notifications themselves aren’t malicious, but a security researcher just highlighted an ingenious way threat actors can use normal-looking notifications to trick you into opening a malicious link.
Computer Engineer Gabriele Digregorio pointed out (via Android Authority) that the Android notification system’s interactive “Open link” prompt can be used by fraud actors to direct you to a link that looks harmless, while secretly redirecting you to a completely different and potentially dangerous website.
That vulnerability lies in notifications not being able to properly handle some Unicode characters, “leading to inconsistencies between what is displayed and what is used by the automatic Open Link suggestions,” according to Digregorio.
The “Open link” prompts in question here, for visual reference, are the ones shown below. In said cases, the researcher points out that a threat actor can embed Unicode characters within a website’s link. Since the Android notification system can not filter said characters properly, they don’t always appear in the notification’s link preview. The notification system itself breaks the link text into two parts (separated by the hidden characters), with the system reading only a portion of the link as the actual destination for the “Open link” button.
This vulnerability can still be exploited
Digregorio highlighted this with the example of an Amazon link. By adding a Unicode character between ‘ama’ and ‘zon,’ the security researcher was able to make the notification display ‘amazon.com while the Open link button actually led to ‘zon.com.’
In another example, the researcher was able to trigger an action within Whatsapp by embeding a relevant ‘wa.me’ link within a link to a Wired article.
The researcher tested this across several apps, including WhatsApp, Telegram, Instagram, Discord, and Slack, but pointed out that it’s the notification system that’s being exploited here, and not the apps. The researcher also clarified that they tested the vulnerability on a Google Pixel 9 Pro XL, a Google Pixel 9 Pro, a Samsung Galaxy S25, and a Samsung Galaxy S21 Ultra running Android 16, Android 15, Android 15, and Android 14, respectively.
Google was made aware of the issue in March through the Google Bug Hunter program, with the tech giant marking it as a ‘moderate severity’ vulnerability. That means that the exploit will not be immediately patched. Instead, it will be addressed in a future security update.
