Invisible Character Bug in Android Notifications Enables Phishing Attacks

An invisible threat lurks in your Android notifications. A recently discovered bug allows malicious actors to redirect users to phishing websites via seemingly legitimate links. The bug, identified in March 2025, exploits an invisible character inserted into links, making them appear normal to the user. "It's incredibly deceptive," says a cybersecurity expert. "Users see what looks like a familiar link, like amazon.com, but the invisible character changes the destination to a malicious site." The video showcases a practical example: a notification displaying an Amazon link that, due to the bug, redirects to a completely different, potentially harmful website. While this issue is known to Google, a resolution remains elusive. iOS users are less vulnerable. The vulnerability underscores the need for caution when clicking links from unknown sources or notifications. Users should carefully examine links before clicking, and report suspicious activity to the appropriate authorities.