“`html
A recently uncovered threat operation is taking advantage of one of the most extensively utilized content discovery instruments on Android and Chrome devices — Google’s Discovery feed — to disseminate harmful push notifications to unwary users across various nations.
The operation, designated Pushpaganda by analysts, fuses AI-generated material, aggressive social manipulation, and misleading browser antics to coerce genuine users into subscribing to harmful notification feeds.
Pushpaganda gains traction by inserting fabricated news articles directly into users’ customized Discovery feeds, which are visible on Android home screens and idle Chrome browser tabs.
Cybercriminals constructed a network of 113 actor-controlled domains and utilized artificial intelligence to create sensational headlines and images intended to capture attention immediately.
These articles typically centered on subjects that provoke intense responses — bogus government deposit notifications, startling tax alerts, or wildly unrealistic smartphone deals such as “$1390 IRS Deposit Approved” or “$100 smartphones with 300MP cameras.”
The content found its way into Discovery feeds either via paid placements or advanced search engine optimization tactics, rendering it challenging to differentiate from authentic news at first glance.
Upon a user clicking one of these misleading articles, they were redirected to an actor-controlled domain where a browser notification subscription request appeared immediately.
Many users clicked “Allow” either to dismiss the dialogue box or out of the belief that it was necessary to access the article they had chosen.
That solitary click initiated a continuous, OS-level notification stream that wholly circumvented traditional ad blockers.
The ensuing notifications bore no relation to the initial article and instead provided counterfeit police arrest warrants, bogus missed calls from relatives, and deceptive bank notifications — all designed to incite fear and induce users to click further.
Experts at HUMAN’s Satori Threat Intelligence and Research Team have identified this operation and the team included researchers Louisa Abel, Vikas Parthasarathy, João Santos, and Adam Sell.
They observed that at its zenith, Pushpaganda generated approximately 240 million bid requests related to its domains within a singular week.
The campaign initially concentrated on users in India before broadening its reach to Australia, the United States, and other territories.
The research team disclosed all 113 recognized Pushpaganda-associated domains with Google, which confirmed that a remedy has since been rolled out to avert this category of low-quality, manipulative content from appearing in Discovery feeds.
.webp)
The magnitude and scope of this operation underscore a growing trend of threat actors weaponizing reliable content distribution platforms.
Considering Google’s Discovery feed is an inherent system feature rather than a downloadable application…
“““html
app, individuals possess restricted authority over what is shown in it, rendering it an extraordinarily effective entry point for this type of social engineering assault.
How the Misleading UI and JavaScript Rotation Operated
A notable aspect of Pushpaganda was its implementation of misleading interface buttons along with a JavaScript-driven tab rotation system.
When individuals accessed a domain controlled by the actor, they came across buttons marked “Apply Now,” “Claim Now,” or “Join WhatsApp” — phrasing that suggested a genuine action.
Instead of executing the advertised tasks, these buttons utilized JavaScript to launch new browser tabs directing to additional Pushpaganda-associated domains.
.webp)
In the background tab that remained open after the click, a distinct JavaScript algorithm activated, cycling the inactive tab through a pre-arranged series of pages owned by the actor.
This system surreptitiously loaded advertisements and prolonged session lengths on those pages, causing the sites to appear as high-quality traffic sources to advertising networks.
The outcome was escalated ad profits for the threat actors — entirely derived from users who had no intention of engaging with those pages.
.webp)
Satori analysts also detected deepfake images and videos incorporated in advertisements on these domains, some misrepresenting well-known public figures and medical authorities to further exploit user trust on a large scale.
Individuals suspecting they may have subscribed to Pushpaganda-linked alerts should promptly examine their browser notification settings and withdraw permissions for any unknown or questionable domains.
On Chrome for Android, this can be executed via Settings → Site Settings → Notifications. Users are also advised to refrain from clicking “Allow” on notification requests from unfamiliar websites, particularly those accessed through news feed links.
From an organizational perspective, security teams are encouraged to supervise any unusual push notification subscription behaviors on managed devices and consider any OS-level alerts mimicking legal or financial entities as signs of a social engineering effort.
Satori analysts continue to track new Pushpaganda-related domains and any indications of threat actor adaptation, advising that ad fraud and click fraud detection measures stay vigilant across all internet-facing platforms.
“`