• Pushpaganda campaign weaponizes AI content to scale global notification scams
• Google Discover is being abused to deliver deceptive scam content
• Users are tricked into enabling notifications that deliver continuous threats

A large-scale ad fraud and scareware campaign dubbed Pushpaganda has exploited Google’s Discovery feed to push malicious notifications to Android and Chrome users worldwide.

According to HUMAN’s Satori Threat Intelligence Team, “Pushpaganda is, at the highest level, a case of social engineering.”

The operation uses AI-generated articles and images to lure users into clicking deceptive news stories that appear in their personalized content streams.

Article continues below

How the scam works

Once a user lands on an actor-controlled domain, the site manipulates the user into enabling push notifications that later deliver various threats.

The threat actors created a collection of 113 domains and used AI tools to generate sensationalist headlines and misleading images designed to drive high engagement.

Common lures include fake arrest warrants, police notices, false bank deposits, and unrealistic tech claims about $100 smartphones with 300MP cameras.

If a user agrees to allow notifications from these sites, the user begins seeing a series of intimidating alerts bearing no relationship to the domain from which they were enabled.

Some notifications mimic missed calls from family members, while others push urgent tax review notices or government direct deposit alerts.

Clicking a Pushpaganda-associated notification redirects the user to another actor-controlled domain.

These domains use deceptive buttons labeled “Apply Now,” “Claim Now,” or “Join WhatsApp.”

However, these buttons use JavaScript to redirect users to additional internal articles or different actor-controlled domains.

A JavaScript rotation algorithm also forces inactive browser tabs to automatically cycle through various actor-owned pages.

It then generates additional ad loads and makes the sites appear high-quality to ad networks.

At its peak, HUMAN observed roughly 240 million bid requests associated with Pushpaganda domains in a single seven-day period.

The ads in these scam domains contain some deepfakes referencing celebrities or medical professionals to exploit user trust at scale.

The operation initially targeted users in India but has since expanded to the United States, Australia, Canada, South Africa, and the United Kingdom.

A Google spokesperson stated that the company keeps the vast majority of spam out of Discover through spam-fighting systems and that a fix for the spam issue in question has been deployed.

A standard firewall or antivirus cannot block these browser-level push notifications, which makes user awareness a very effective defense.

Users should never enable push notifications from unfamiliar websites, regardless of how legitimate the article appears.

To block existing malicious notifications, users can access their browser settings and revoke notification permissions for any suspicious domain.

Mobile users should also review notification settings in their Chrome browser or Android system settings to remove unauthorized subscriptions.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.