Pushpaganda: AI-Scams Hijack Google Discovery Feed to Spread Malicious Notifications

A large-scale cyber operation called Pushpaganda is exploiting Google’s Discovery feed to distribute malicious notifications and scams through AI-generated content. This sophisticated campaign targets users worldwide via personalized content streams on Android home screens and Chrome new-tab pages.

The operation begins with threat actors creating over 113 fraudulent domains filled with AI-written articles designed to mimic legitimate content. Using advanced SEO tactics (and possibly paid placements), attackers inject these clickbait stories directly into users’ Discovery feeds:

Diagram outlining the Pushpaganda threat (Source : Satori).
Diagram outlining the Pushpaganda threat (Source: Satori Threat Intelligence)

Articles feature sensational headlines like “$1390 IRS Deposit Approved” or “$99 Ultra-Cheap Smartphones” to lure clicks. When users engage, they’re redirected to attacker-controlled websites that push them to enable browser notifications. Once granted, the attackers gain system-level access to deliver persistent alerts that bypass ad blockers.

Scareware and Social Engineering at Scale

Notifications are weaponized with deceptive messages—fake legal threats, fraudulent bank alerts, or impersonated emergency calls—to manipulate victims. Clicking these notifications creates a continuous loop between Pushpaganda domains, amplifying exposure to additional scams:

Manipulating the Discovery Feed (Source : Satori).
Pushpaganda’s manipulative content in Google’s Discovery feed (Source: Satori)

At its peak, HUMAN researchers recorded 240 million ad bid requests in a single week, originating from domains initially targeting India before expanding to the US, Australia, and beyond. All interactions—from impressions to redirects—are fraudulent, driven by scripted engagement rather than genuine user interest.

Deceptive button on a Pushpaganda-associated domain (Source : Satori).
Deceptive “Apply Now” button leading to scam redirects (Source: Satori)
JavaScript rotation algorithm (Source : Satori).
JavaScript rotation inflating traffic metrics (Source: Satori)

Google Responds, HUMAN Defends

Attackers enhance deception through deepfake ads (e.g., impersonating celebrities or medical experts) embedded across sites and a JavaScript algorithm that auto-rotates inactive tabs across actor-controlled domains to generate fake traffic:

After HUMAN’s Satori team provided domain data, Google confirmed it has patched Discovery feed vulnerabilities to block low-quality, manipulative content like Pushpaganda. However, HUMAN remains vigilant against emerging variants—defending customers with real-time protection across Ad Fraud Defense and Ad Click Defense solutions.

Related Articles

Back to top button