A sophisticated cybercriminal operation known as “Pushpaganda” is weaponizing Google Discover, a popular content aggregation service, to distribute malicious push notifications to users across multiple countries. Researchers have uncovered that this campaign cleverly leverages AI-generated content and aggressive social engineering tactics to trick users into subscribing to harmful notification streams, representing a significant new threat vector for malicious actors.
The Pushpaganda operation infiltrates personalized Google Discover feeds, which are prominently displayed on Android home screens and within Chrome browser tabs. Threat actors have established a network of 113 domains, utilizing artificial intelligence to generate highly sensationalized headlines and striking imagery. These fabricated stories often revolve around topics designed to elicit immediate emotional responses, such as fake government deposit announcements, alarming tax notices, or unbelievably attractive smartphone deals. Examples include claims like “$1390 IRS Deposit Approved” or notifications about “$100 phones with 300MP cameras.” The content gains entry into Discovery feeds either through paid advertising placements or advanced search engine optimization (SEO) strategies, making it challenging to distinguish from legitimate news at first glance.
Once a user clicks on one of these deceptive articles, they are redirected to an actor-controlled domain. Upon arrival, a browser notification subscription prompt appears instantaneously. Many users, aiming to bypass the pop-up or believing it is necessary to view the article, click “Allow.” This single action initiates a persistent stream of OS-level notifications that effectively bypasses standard ad blockers. These subsequent notifications bear no relation to the original article; instead, they present fabricated police arrest warrants, fake missed calls from family members, and false bank alerts, all designed to instill fear and drive further clicks.
Analysts at HUMAN’s Satori Threat Intelligence and Research Team, including researchers Louisa Abel, Vikas Parthasarathy, João Santos, and Adam Sell, identified this operation. They reported that at its peak, Pushpaganda generated approximately 240 million bid requests tied to its domains within a single seven-day period. The campaign initially targeted users in India before expanding its reach to Australia, the United States, and other regions. The research team has shared the identified 113 Pushpaganda-associated domains with Google, and the tech giant has confirmed that a fix has been implemented to prevent this type of low-quality, manipulative content from appearing in Discovery feeds.
How the Deceptive UI and JavaScript Rotation Worked
One of the more technically sophisticated aspects of the Pushpaganda operation involved its use of deceptive user interface (UI) buttons and a JavaScript-based tab rotation mechanism. When users landed on an actor-controlled domain, they were presented with buttons bearing calls to action such as “Apply Now,” “Claim Now,” or “Join WhatsApp.” These labels were carefully chosen to imply a legitimate action. Instead of fulfilling the advertised function, these buttons leveraged JavaScript to open new browser tabs, each directing users to another Pushpaganda-linked domain.
Concurrently, within the background tab left open by the user’s click, a separate JavaScript algorithm began a cycle of rotating through a predefined sequence of actor-owned pages. This background process quietly loaded advertisements and extended the session durations on these pages. This technique made the sites appear as high-quality traffic sources to advertising networks, resulting in inflated ad revenue for the threat actors, generated entirely from users who never intended to interact with those specific pages.
Satori researchers also observed the integration of deepfake videos and images within ads displayed on these domains. Some of these ads falsely depicted well-known celebrities and medical professionals, further exploiting user trust at a large scale. This particular tactic highlights the evolving sophistication of social engineering techniques used by cybercriminals.
User Protection and Future Implications
Users who suspect they may have subscribed to Pushpaganda-linked notifications are advised to immediately review their browser notification permissions. They should revoke access for any unfamiliar or suspicious domains. On Chrome for Android, this process can be managed through Settings → Site Settings → Notifications. It is crucial for users to avoid clicking “Allow” on notification prompts from websites they do not recognize or trust, particularly those discovered through news feed links.
From an organizational perspective, security teams should monitor for unusual push notification subscription activity on managed devices. OS-level alerts that mimic communications from legal or financial authorities should be treated as strong indicators of a social engineering attempt. The Satori researchers are continuing to monitor for new Pushpaganda-associated domains and any signs of threat actor adaptation. The ongoing evolution of these tactics underscores the importance of maintaining active ad fraud and click fraud detection measures across all web-facing environments.
The Pushpaganda operation serves as a stark reminder of how threat actors are increasingly exploiting trusted content distribution platforms. Because Google Discover is an integrated system feature rather than a standalone application, users have limited control over its content, making it a particularly effective entry point for social engineering attacks. The ongoing cat-and-mouse game between security researchers and malicious actors highlights the need for continuous vigilance and the development of robust detection and prevention mechanisms.