A sophisticated new scam, dubbed 'Pushpaganda,' is exploiting Google Discover and artificial intelligence to spread scareware and engage in ad fraud. This operation tricks users into enabling persistent browser notifications, which then deliver alarming messages and lead to financial scams. The campaign, initially targeting India, has since expanded globally.

Key Takeaways

• AI-generated content and SEO techniques are used to push deceptive news stories into Google Discover.

• Users are tricked into enabling push notifications that display fake legal threats and scams.

• The scheme generates invalid organic traffic, leading to ad fraud and illicit revenue.

• Google has implemented a fix to address the issue.

The Pushpaganda Operation

The 'Pushpaganda' campaign, named for its reliance on push notifications, leverages search engine poisoning (SEO) to inject deceptive content into Google's personalized Discover feed. Researchers from HUMAN's Satori Threat Intelligence and Research Team identified that the operation uses AI to generate misleading news stories. When users click on these stories, they are led to domains controlled by the threat actors.

Once on these malicious sites, users are coerced into subscribing to push notifications. These notifications often present fake legal threats or other alarming messages designed to create a sense of urgency. Clicking on these notifications redirects users to further scam sites, generating ad revenue for the perpetrators.

Scale and Expansion

At its peak, the campaign was associated with approximately 240 million bid requests across 113 domains within a single week. While initially observed targeting users in India, the threat has since broadened its reach to include regions such as the U.S., Australia, Canada, South Africa, and the U.K.

Broader Implications and Previous Incidents

This incident highlights the growing trend of threat actors abusing AI to weaponize trusted discovery platforms. Gavin Reid, chief information security officer at HUMAN, noted that these tactics turn platforms like Google Discover into delivery vehicles for scareware, deepfakes, and financial fraud.

This is not the first instance of push notification abuse. In September 2025, a threat actor known as Vane Viper was identified using similar tactics for ad serving and social engineering campaigns. Cybersecurity experts emphasize that malware-based threats involving push notifications are effective due to the urgency they can create, often prompting users to click quickly to resolve the perceived issue.

Related Ad Fraud Schemes

The discovery of Pushpaganda follows HUMAN's identification of 'Low5,' one of the largest ad fraud laundering marketplaces uncovered, involving over 3,000 domains and 63 Android apps. Low5 operated by monetizing domains as 'cashout sites' for sophisticated fraud schemes, generating up to 2 billion bid requests daily and potentially affecting 40 million devices worldwide. While Android apps associated with Low5 have been removed from the Google Play Store, the underlying infrastructure for such schemes can persist, allowing different threat actors to reuse the same monetization systems.

By staying vigilant and adopting safe browsing practices, users can significantly reduce their exposure to these evolving threats. As cyber threats continue to evolve, your security strategy needs to evolve with them. BetterWorld Technology delivers adaptive cybersecurity solutions designed to keep your business secure while supporting innovation. Connect with us today to schedule a personalized consultation.

Sources

• AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud, The Hacker News.