Cybersecurity experts have identified a new scheme exploiting artificial intelligence and search engine poisoning to deliver fraudulent news via Google Discover. This operation aims to deceive users into enabling browser notifications that lead to scareware and financial fraud.
Understanding the Pushpaganda Campaign
The campaign, dubbed Pushpaganda by HUMAN’s Satori Threat Intelligence, targets Android and Chrome users. It manipulates personalized content feeds, tricking users into subscribing to alarming notifications. Researchers Louisa Abel, Vikas Parthasarathy, João Santos, and Adam Sell highlight the operation’s use of invalid organic traffic from genuine mobile devices.
During its peak, the campaign generated approximately 240 million bid requests over a week, involving 113 domains. Initially focused on India, it has expanded to the U.S., Australia, Canada, South Africa, and the U.K. According to Gavin Reid, HUMAN’s Chief Information Security Officer, this illustrates how attackers misuse AI to manipulate trusted discovery platforms.
The Mechanics of the Scam
Scammers lure users through Google Discover to AI-generated news, coercing them into enabling push notifications. These notifications deliver fake legal threats, redirecting users to sites run by the scammers. This generates organic traffic to embedded ads, creating illicit revenue streams for the perpetrators.
This type of fraud is not unprecedented. In September 2025, Infoblox revealed Vane Viper, a threat actor using push notifications for social engineering. Lindsay Kaye from HUMAN Security notes that such threats exploit urgency, prompting users to act quickly, which is advantageous for malware authors.
Broader Implications and Future Outlook
In a related disclosure, HUMAN identified a vast ad fraud marketplace involving over 3,000 domains and 63 Android apps. Known as Low5, the operation monetized these domains using HTML5 sites for fraud, peaking at 2 billion bid requests daily across 40 million devices. The apps have since been removed from Google Play Store.
HUMAN highlights the resilience of such monetization infrastructures. Even if one campaign is dismantled, the same domains can be repurposed by other threat actors. This underscores the necessity for continuous threat intelligence and preemptive detection to combat cashout domains effectively.
As these schemes grow more sophisticated, users and cybersecurity professionals must stay vigilant to safeguard against emerging threats.
