- Pushpaganda Campaign Uses AI Content to Expand Global Notification Scams
- Google Discover is being misused to spread misleading fraudulent content
- Users are prompted to enable notifications that generate continuous threats
A large-scale ad fraud and scareware campaign called Pushpaganda exploited Google’s Discovery feed to send malicious notifications to Android and Chrome users around the world.
According to HUMAN’s Satori Threat Intelligence team, “Pushpaganda is, at the highest level, a case of social engineering.”
The operation uses AI-generated articles and images to trick users into clicking on misleading news stories that appear in their personalized content feeds.
Article continues below
How the scam works
Once a user accesses a domain controlled by an actor, the site manipulates them into enabling push notifications which then generate various threats.
The threat actors created a collection of 113 domains and used AI tools to generate sensationalist headlines and misleading images designed to drive high engagement.
Common lures include fake arrest warrants, police notices, fake bank deposits, and unrealistic technical claims about $100 smartphones with 300 MP cameras.
If a user agrees to allow notifications from these sites, they begin to see a series of intimidating alerts that have nothing to do with the domain from which they were activated.
Some notifications mimic missed calls from family members, while others send urgent tax review notices or government direct deposit alerts.
Clicking on a notification associated with Pushpaganda redirects the user to another domain controlled by an actor.
These domains use deceptive buttons labeled “Apply Now”, “Claim Now” or “Join WhatsApp”.
However, these buttons use JavaScript to redirect users to additional internal articles or to different actor-controlled domains.
A JavaScript rotation algorithm also forces inactive browser tabs to automatically cycle through various actor-owned pages.
It then generates additional advertising loads and makes sites appear high-quality to ad networks.
At its peak, HUMAN observed approximately 240 million auction requests associated with Pushpaganda domains over a single seven-day period.
Ads in these fraudulent domains contain deepfakes referencing celebrities or medical professionals to exploit user trust at scale.
The operation initially targeted users in India, but has since expanded to the United States, Australia, Canada, South Africa and the United Kingdom.
A Google spokesperson said the company keeps the vast majority of spam out of Discover through anti-spam systems and that a fix for the spam issue in question has been rolled out.
A standard firewall or antivirus cannot block these push notifications at the browser level, making user awareness a very effective defense.
Users should never enable push notifications from unknown websites, regardless of the legitimacy of the item.
To block existing malicious notifications, users can go to their browser settings and revoke notification permissions for any suspicious domains.
Mobile users should also check the notification settings in their Chrome browser or Android system settings to remove unauthorized subscriptions.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
