Watch out the next time you tap a link from your notifications – it might not take you where you think.

A recent discovery highlights a sneaky way that ordinary-looking Android alerts can hide hidden tricks. A security researcher found that the “Open link” option in Android notifications doesn’t always follow the visible URL. Instead, crafty hidden Unicode characters can mask the real destination.

According to Android Authority, the manipulation works like this: a notification might display “amazon.com,” but when you tap, it quietly sends you to “zon.com” by slipping in invisible characters that split the URL. That’s clever—and dangerous—if cybercriminals exploit the trick.

This method isn’t just theoretical. In tests, the researcher showed how phishing sites or silent app actions could load instead of the trusted site. Deep links—those that perform specific actions in apps (like opening a chat on WhatsApp)—can also be hijacked. Some apps don’t pause to ask you to confirm, which means unwanted actions could happen without you doing a thing.

Google was told about this in March. While it hasn’t released a fix yet, it did respond to Android Authority on June 13 saying it’s working on a security patch. 

For now, the safest route is to ignore the “Open link” button in alerts. Instead, open notifications in the app itself or copy the link into your browser manually. It might feel like extra work, but it’s the only sure way to stay safe for now.

Why regular folks should care