Recent findings reveal a significant security flaw in Android notifications that could lead users to misleading and potentially harmful links. This issue, identified in the “Open link” buttons associated with notifications from popular apps like WhatsApp, Instagram, and Slack, can trick users into opening entirely different websites than the ones displayed. The security research by Gabriele Digregorio explains that hidden Unicode characters can be embedded in messages, creating a situation where the visible link shown in the notification misrepresents the actual destination.
For example, the notification might depict a link to Amazon.com, yet when the “Open link” button is pressed, the user might inadvertently be redirected to zon.com instead. This difference occurs due to the system interpreting only a portion of the displayed text as the legitimate link, effectively manipulating users. Such a vulnerability raises alarms as it poses a significant risk of phishing attacks or unwarranted actions triggered within apps.
One case detailed in Digregorio’s report references a WhatsApp link that can initiate a chat with a pre-determined message, which, while a standard feature, may serve deceptive purposes in this context. The situation is compounded by some apps not seeking user confirmation prior to executing actions stemming from these links. Google has been informed about the bug since March but has yet to deliver a fix.
While the tech giant regards the issue as of moderate severity, it appears to lack urgency for an immediate patch. Currently, devices running Android versions 14, 15, and 16, including the Pixel 9 Pro, remain at risk. Users are advised to avoid clicking these notification links for the time being.
Instead, it’s recommended to access the app directly and verify any links before proceeding.
Leave a Reply