- Hackers are utilizing invisible Unicode to trick Android into opening harmful hyperlinks from notifications
- The hyperlink appears regular, however Android secretly opens one thing else with out warning or consent
- Even trusted apps like WhatsApp and Instagram are weak to this hidden notification exploit
A safety flaw in Android’s notification system might permits malicious actors to deceive customers into opening unintended hyperlinks or triggering hidden app actions, consultants have warned.
Analysis from io-no claims the flaw lies in how Android parses sure Unicode characters inside notifications.
This creates a mismatch between what customers see and what the system processes when the “Open Hyperlink” suggestion seems.
What you see isn’t all the time what you get
The issue stems from the usage of invisible or particular Unicode characters embedded inside URLs.
When included in a message, these characters may cause Android to interpret the seen textual content and the precise actionable hyperlink in another way.
As an example, a notification may visibly show “amazon.com,” however the underlying code truly opens “zon.com,” with an inserted zero-width area character.
The notification shows as “ama[]zon.com,” together with the hidden character. Nevertheless, the suggestion engine interprets that hidden character as a separator, which leads to it launching a wholly totally different web site.
In some circumstances, attackers can redirect customers not simply to web sites but in addition to deep hyperlinks that work together immediately with apps.
The report confirmed how a seemingly innocent shortened URL led to a WhatsApp name.
To make assaults much less detectable, malicious actors can use URL shorteners and embed hyperlinks into trusted-looking textual content.
The flaw turns into notably harmful when mixed with app hyperlinks or “deep hyperlinks” that may silently set off behaviors reminiscent of initiating messages, calls, or opening inner app views with out person intent.
Checks on gadgets together with the Google Pixel 9 Professional XL, Samsung Galaxy S25, and older Android variations revealed that this misbehavior impacts main apps like WhatsApp, Telegram, Instagram, Discord, and Slack.
Customized apps had been additionally used to bypass character filtering and validate the assault throughout a number of situations.
Given the character of this flaw, many customary defenses could fall brief. Even the perfect antivirus options could miss these exploits, as they typically don’t contain conventional malware downloads.
As an alternative, attackers manipulate UI habits and exploit app hyperlink configurations. Subsequently, there’s a want for endpoint safety instruments, which supply broader detection primarily based on behavioral anomalies.
For customers susceptible to credential theft or app abuse, counting on identification theft safety companies turns into vital to observe unauthorized exercise and safe uncovered private information.
Till a proper repair is carried out, Android customers ought to stay cautious with notifications and hyperlinks, particularly these from unfamiliar sources or URL shorteners.
