AI-Driven ‘Pushpaganda’ Scam Exploits Google Discover to Spread Scareware and Ad Fraud
Cybersecurity researchers have uncovered a sophisticated ad fraud operation, dubbed Pushpaganda, that leverages artificial intelligence (AI) and search engine optimization (SEO) techniques to disseminate deceptive news stories via Google’s Discover feed. This campaign primarily targets Android and Chrome users, tricking them into enabling persistent browser notifications that lead to scareware and financial scams.
The Pushpaganda scheme involves creating AI-generated content designed to appear as legitimate news articles. These articles are strategically optimized to infiltrate Google’s Discover feed, a personalized content recommendation service. Once users engage with these misleading stories, they are prompted to allow push notifications. These notifications subsequently deliver alarming messages, such as fake legal threats or urgent security alerts, coercing users into visiting additional malicious websites controlled by the attackers. This process not only generates illicit ad revenue but also exposes users to potential financial fraud.
At its peak, the Pushpaganda campaign was associated with approximately 240 million bid requests across 113 domains within a seven-day period. Initially observed targeting users in India, the operation has since expanded to regions including the United States, Australia, Canada, South Africa, and the United Kingdom.
This campaign underscores the evolving tactics of cybercriminals who exploit AI to manipulate trusted platforms, turning them into conduits for scareware, deepfakes, and financial fraud. In response, Google has implemented measures to address this specific spam issue, reinforcing its commitment to maintaining the integrity of its content delivery systems.
The mechanics of the Pushpaganda operation involve luring users through AI-generated news stories that appear in their Google Discover feed. Upon clicking these stories, users are directed to actor-controlled domains where they are prompted to enable push notifications. These notifications then deliver deceptive messages designed to create a sense of urgency or fear, compelling users to click on them. Clicking these notifications redirects users to additional malicious sites, thereby generating organic traffic to ads embedded within those sites and enabling the perpetrators to accrue illicit revenue.
This method of exploiting push notifications is not unprecedented. In September 2025, a threat actor known as Vane Viper was identified for systematically abusing push notifications to serve ads and facilitate social engineering campaigns. These tactics often create a false sense of urgency, prompting users to act hastily, which makes them effective tools in a cybercriminal’s arsenal.
The Pushpaganda campaign highlights the need for continuous vigilance and adaptive security measures to counteract the innovative methods employed by cybercriminals. Users are advised to exercise caution when enabling push notifications and to critically evaluate the credibility of content encountered online.
