Android users are at risk of being redirected to fraudulent websites or unknowingly running commands in apps due to a newly discovered vulnerability in the notification system. Everything looks like a normal message with a link, but in reality it opens a completely different URL or activates a hidden action.
Android users are at risk of being redirected to fraudulent websites or unknowingly running commands in apps due to a newly discovered vulnerability in the notification system. Everything looks like a normal message with a link, but in reality it opens a completely different URL or activates a hidden action.
According to TechRadar, the issue is caused by Android’s incorrect handling of Unicode characters. Research from the io-no team showed that the text of the link message can contain invisible characters that change the actual URL that the user clicks on.
For example, you see a message with a link to «amazon.com,» but because of the inserted zero-width space, Android actually opens a completely different address, such as «zon.com.» The system does not show the hidden character, but interprets it as a separator, changing the behavior of the «open link» button.
This vulnerability becomes especially dangerous if attackers use so-called deep links. These are links that directly launch application functions. For example, a short message can open a call window in WhatsApp or launch internal functions of Instagram, Discord, Telegram or Slack.
The study found that the attack works on a number of devices, including the Google Pixel 9 Pro XL, Samsung Galaxy S25, and older models. Custom apps and URL shortening services that mask the true content of the link were used to bypass filters.
Antivirus software is powerless in such cases, as it is not a classic malware, but rather a manipulation of the interface behavior and application settings. Therefore, experts advise using device-level protection tools that can detect anomalies in system behavior.
This is not the first time Android has been targeted by such attacks: the openness of the platform provides flexibility, but also leaves room for manipulation at the API and UI levels. Google has already encountered similar situations, including phishing links in SMS, message substitution in notifications, etc. The company has not yet officially commented on the new vulnerability, so users are advised to be especially careful: do not follow suspicious links, avoid using shortened URLs, and do not click on notifications from unknown sources.
We previously reported that a new variant of the Android Trojan Crocodilus has learned to replace trusted callers by adding fake entries to the victim’s contact book. This way, attackers can impersonate «bank support» and increase the chances of successful fraud.
