- Hackers are using invisible unicode to trick Android in opening dangerous links from notifications
- The link looks normal, but Android opens something else without warning or consent
- Even reliable apps like WhatsApp and Instagram are unsafe for this hidden notification exploitation.
A safety defects in Android’s notification system may allow malicious actors to be deceived by users to open unexpected links or to trigger hidden app activities, warning by experts.
Research from IO-no Claims that the defect lies in how the Android notifications crosses some unicode characters.
This makes a mismatch between what the users see and the system process when the “open link” suggestions are revealed.
What you see is not always what you get
The problem stems from the use of invisible or special unicode characters within the URL.
When joining a message, these characters can cause Android to explain visual text and real actionable links.
For example, a notification can visually display “amazon.com”, but the underlying code actually opens “zon.com”, with a combined zero-width space character.
The notification is displayed as “Ama () zon.com” including the Hidden character. However, the suggestion engine explains that hidden character as a separatist, resulting in launching a completely different site.
In some cases, attacker users can redirect users not only on websites but also for deep links that interact directly with apps.
The report showed how a harmless small URL leads a WhatsApp call.
To make the attacks less detectable, malicious actor URL can use URL shortenners and embed the link in reliable looking text.
The defect becomes particularly dangerous when the app is combined with a link or “deep link”, which can silently trigger behavior such as messages, calls, or internal app views without the user’s intention.
Testing on devices including Google Pixel 9 Pro XL, Samsung Galaxy S25, and old Android versions has shown that the misconduct affects major apps such as WhatsApp, Telegram, Instagram, Discord and Slack.
Custom apps were used to bypass character filtering and validate the attack in many scenarios.
Given the nature of this defect, many standard rescue may decrease. Even the best antivirus solutions can miss these exploits, as they often do not include traditional malware downloads.
Instead, the attackers manipulate the UI behavior and the app exploits the link configuration. Therefore, closing points require safety devices, which provide wide recognition based on behavioral discrepancies.
For users at risk of credential theft or an app, relying on identity sacking services, it becomes important to monitor unauthorized activity and secure personal data.
As long as a formal fix is applied, Android users should be cautious with information and links, especially from unfamiliar sources or URL shortenners.
