- Hackers use invisible unicode to fool Android to open dangerous connections from messages
- The link usually looks but Android secretly opens something else without warning or consent
- Even trusted apps like WhatsApp and Instagram are vulnerable to this hidden review.
A security error in Android’s message system could allow malicious actors to deceive users to open unintended links or trigger hidden app actions, experts have warned.
Research from IO-NO claims that the error lies in how Android analyzes certain Unicode signs in messages.
This creates a mismatch between what users see and what the system processes when the “Open Link” proposal is shown.
What you see is not always what you get
The problem derives from the use of invisible or special Unicode signs embedded in URLs.
Once included in a message, these characters may cause Android to interpret the visible text and the actual action link differently.
For example, a review may visibly show “Amazon.com”, but the underlying code actually opens “Zon.com” with an inserted zero-width rum character.
The notification appears as “AMA[]Zon.com, “Including the hidden character. However, the proposal engine interprets the hidden character as a separator, resulting in it launching a completely different place.
In some cases, attackers can redirect users not only to sites, but also to deep links that interact directly with apps.
The report showed how a seemingly harmlessly abbreviated URL led to a WhatsApp call.
To make attacks less detectable, malicious actors can use URL shortening and integrate links into reliable text.
The error becomes particularly dangerous when combined with app links or “deep links” that can silently trigger behavior, such as initiating messages, calls or open internal app views without the user’s intention.
Tests on devices including Google Pixel 9 Pro XL, Samsung Galaxy S25 and Older Android versions revealed that this wrong behavior affects larger apps such as WhatsApp, Telegram, Instagram, Discord and Slack.
Custom apps were also used to bypass character filtration and validate the attack across multiple scenarios.
Given the nature of this error, many standard defense can fall short. Even the best antivirus solutions can miss out on these exploitation as they often do not involve traditional malware downloads.
Instead, attackers manipulate UI behavior and exploit applink configurations. Therefore, final points protection tools are needed that offer wider detection based on behavioral deviations.
For users at risk of identification theft or abuse of apps, it is critical to rely on protection services for identity theft to monitor unauthorized activity and secure vulnerable personal data.
Until a formal solution is implemented, Android users must remain careful with messages and links, especially those from unknown sources or URL shortening.
