A new and sophisticated fraud and malware distribution scheme, dubbed Pushpaganda, has infiltrated the most mundane corners of digital life: Google Discover feeds. Utilizing a lethal mix of generative artificial intelligence (AI) and aggressive SEO tactics, this group of threats is successfully converting millions of unsuspecting Android and Chrome users into organic traffic vectors for a vast network of cybercrime.
What is Pushpaganda? The Mechanism of 'Push Propaganda'The research team from HUMAN's Satori Threat Intelligence and Research Team has dissected this operation, which stands out by its massive scale. Within just a week, the researchers detected over 240 million ad request solicitations linked to an ecosystem of 113 malicious domains.
The attack cycle is simple but devastatingly effective:
AI Bait: Attackers use AI to generate thousands of 'attractive' or alarming news stories (clickbait) that perfectly match the requirements for appearing on users' phones in Google Discover.
Suscriber Capture: Once a user clicks on the fake news story, the website requests permission to send notifications. If the user agrees, they have fallen into the trap.
Persistence and Malware: From that moment onwards, the attacker has a direct channel to the phone's notification center. They send alarming messages (false virus alerts, non-existent prizes, or breaking news) that redirect users to malware-infected download sites, credential theft sites, or financial scams.
While the abuse of push notifications is not a new concept — with precedents like the actor Vane Viper identified by Infoblox in 2025 — Pushpaganda elevates the threat to an industrial scale. What started as an operation centered on India has aggressively expanded into high-value markets, including:
- United States and Canada.
- United Kingdom.
- Australia and South Africa.
The key difference lies in AI. While previously attackers had to manually write their fake news stories, now AI allows for content generation in dozens of languages, tailored to local trends in real-time, maximizing the likelihood that Google Discover will promote it organically.
Technical Details: The Fraud of 'Ghost Sites'The Pushpaganda operation is only the tip of the iceberg of a more complex ecosystem of ad fraud. Researchers highlight the use of 'Ghost Sites' in the pre-bid auction process.
These sites act as intermediaries that pretend to have high-quality traffic to attract legitimate brand advertising dollars. By using real mobile devices belonging to users who activated notifications, attackers manage to make their traffic appear completely human and organic, evading basic bot detection filters used by many digital ad companies today.
Why It Matters TodayThis discovery reflects a dangerous trend: the end of the era of mediocre content. Thanks to AI, misleading content now looks professional, is well-written, and is relevant.
What Users and IT Administrators Should Watch Out For"Pushpaganda generates organic user traffic by inducing users to subscribe to notifications that present alarming messages" ight>, notes the HUMAN report. The danger lies in the fact that users trust Google Discover as a curated source, lowering their natural defenses against suspicious permission requests.
To mitigate the impact of this campaign, it is crucial to pay attention to the following points:
Notification Permissions: Companies must educate their employees never to accept notifications from unknown news or blog websites. This is the main entry point for Pushpaganda.
Browsing Clean-up: If a device starts showing system infection alerts or intrusive ads in the notification bar, it is likely subscribed to a Pushpaganda domain. Cache must be cleared and permissions revoked under Settings > Browser Notifications.
Dominion Monitoring: Security teams should be vigilant for spikes in traffic towards new or unusual domains detected in threat intelligence reports.
While Google has already begun implementing technical countermeasures to filter these contents on Discover and Chrome, the cat-and-mouse game continues. The identity of the operators behind Pushpaganda remains a mystery, and the economic damage from ad budget theft and mobile device infection is counted in millions of dollars.
The lesson from Pushpaganda is clear: in a world where AI can manufacture credibility instantly, user attention is the most coveted and vulnerable asset.