15.04.2026
5 min
216
Cybersecurity researchers have uncovered a new fraud scheme called Pushpaganda, which uses artificial intelligence and SEO manipulation to promote fake news in Google Discover. The campaign forces users to subscribe to push notifications that spread scareware and financial scams.
Cybersecurity researchers have identified an ongoing and widespread advertisement fraud operation that incorporates Search Engine Optimization (SEO) manipulation and Artificially-Generated Content (AGC). This attack affects both Android and Chrome users, and utilizes Google’s Discovery feed to send false news stories and entice users to enable “push” notifications.
HUMAN’s Satori Threat Intelligence and Research Team found the campaign named “Pushpaganda.”
Researchers stated that the primary factor behind this operation is “push” notifications. These notifications provide the means for the attackers to contact users and subsequently carry out a series of fraudulent activities.
“This operation creates valid organic traffic with fake traffic from actual mobile devices and deceives users into subscribing to receive push notifications,” said Luiza Abel, Vikas Partasarathi, Joao Santos, and Adam Sell.
In summary, the process has been easy-to-execute. The users view a “News Story” within Google’s Discovery Feed that appears completely authentic. In reality, it was an AGC-based webpage created through SEO poisoning.
Following the initial transition, the user is encouraged to accept “push” notifications. Once the user accepts “push” notifications, the attacker will begin sending users the most damaging elements of the scam. These include; fake warning messages, threat letters regarding alleged virus infections etc. When a user interacts with these notifications, the user is directed to various websites operated by the attackers. At each site, there may be pre-installed ads or other types of deceptive mechanisms designed to generate revenue.
Throughout the duration of the operation’s peak performance, the campaign was operating at full capacity. During a seven-day span, researchers reported an estimated 240 million advertising requests relative to 113 domain names. Although the activity first appeared in India, it rapidly expanded across multiple regions including; United States, Canada, Australia, South Africa and the United Kingdom.
Gavin Reid, HUMAN’s Chief Information Security Officer, states that this is a prime example of how attackers utilize Artificial Intelligence (AI) to not only create their own content, but to take control of trusted platforms. Legitimate platforms such as Google Discover are therefore transformed into vehicles for spamming users with deepfakes and financially-related scams. Following discovery of the campaign, Google implemented an update intended to limit similar forms of spam.
As previously mentioned, the utilization of push notifications for fraud purposes has existed since early September 2025 when Infoblox researchers documented the actions of an entity known as Vane Viper. Like Pushpaganda, Vane Viper utilized notifications as a method to advertise as well as socially engineer victims.
Why does this scheme function? Lindsey Kay, VP of Threat Intelligence at HUMAN Security describes it as follows:
“These attacks create a feeling of urgency. Due to this urgency, users frequently interact with notifications with haste in order to eliminate them or gather more information. Therefore, this is why these notifications are successful tools for attackers.”
Like many other malicious operations, this campaign is merely one component of a larger ecosystem. Researchers at HUMAN have recently documented another large-scale money laundering market via ad-fraud that is referred to as Low5. Low5 utilized over 3000 domains and 63 applications for android to launder funds via ad-fraud. Similar to Pushpaganda, Low5 utilizes “ghost-sites”, which sell advertising traffic appearing to be genuine. However, in reality this traffic is produced through deceitful tactics toward users and manipulative techniques.
When functioning at maximum capacity, Low5 produced upwards of 2 billion ad requests per day and could operate on roughly 40 million devices globally.
Due to Low5’s architecture, numerous attackers can utilize identical systems. This provides Low5 with increased resistance to blocking measures, limits tracking capabilities, and enables new campaigns to be launched prior to destruction of previous campaigns. As HUMAN emphasizes, however, the major issue is that once a campaign is closed down (i.e., terminated), the associated infrastructure remains active and capable of producing further illicit revenues. The reason for this is due to low barriers for reuse by multiple parties. Henceforth, experts stress continuous monitoring and swift detection of such schemes before they become profitable.
