A new cyber threat operation, exploiting the Google Discover feed on Android and Chrome devices, has been identified. This operation, named ‘Pushpaganda’ by security experts, utilizes AI-generated content to deliver harmful push notifications to users across several countries.
Understanding the Pushpaganda Scheme
Pushpaganda leverages a combination of AI-generated articles and advanced social engineering to deceive users. By embedding fictional stories into users’ personalized feeds, it persuades them to subscribe to malicious notification streams. These feeds appear on Android home screens and Chrome tabs, often indistinguishable from legitimate news due to strategic placement and SEO tactics.
The threat actors behind Pushpaganda have constructed a network of 113 domains, producing sensational headlines and visuals designed to capture immediate attention. Topics commonly include fake government updates or unrealistic offers, such as tax refunds or discounted high-tech gadgets.
Mechanics of the Deceptive Notifications
Upon clicking a deceptive article, users are redirected to a domain controlled by threat actors, where they are prompted to subscribe to notifications. Many users inadvertently agree, either to dismiss the prompt or under the false impression it is necessary to view the content. This results in a continuous stream of misleading notifications, bypassing traditional ad blockers, and delivering fake alerts designed to provoke further interaction.
HUMAN’s Satori Threat Intelligence and Research Team, led by a team of researchers including Louisa Abel and Vikas Parthasarathy, has been pivotal in uncovering this operation. At its peak, Pushpaganda generated approximately 240 million bid requests within just one week, initially targeting users in India before expanding globally.
Technical Sophistication and User Impact
Pushpaganda’s technical complexity includes deceptive UI elements and a JavaScript-based tab rotation mechanism. Users encounter misleading buttons that, instead of performing their labeled actions, open new tabs linked to more malicious domains. This tactic increases ad revenue for threat actors by presenting a facade of high-quality traffic to ad networks.
Security experts have also identified deepfake media on these domains, exploiting trust by depicting familiar figures in false contexts. Users are advised to review notification permissions and revoke access from any dubious domains. For Android users, this can be managed through Settings → Site Settings → Notifications.
Organizations should remain vigilant, monitoring for unusual notification activity and treating alerts mimicking official entities as potential social engineering attempts. Satori researchers continue to track Pushpaganda’s evolution, urging active fraud detection measures in all web environments.
Stay connected with us on Google News, LinkedIn, and X for more updates, and consider setting CSN as a preferred source in Google for timely information.
