AI‑Generated Clickbait “Pushpaganda” Hijacks Mobile Notifications for Scam Campaigns
What Happened — Researchers have uncovered “Pushpaganda,” an AI‑assisted ad‑fraud operation that injects clickbait articles into Google Discover and Chrome new‑tab feeds. When a user taps the article, the malicious page immediately asks for notification permission, converting the device into a conduit for continuous scam‑laden push notifications.
Why It Matters for TPRM —
- Notification‑based scams can harvest personal and financial data from employees, expanding third‑party risk.
- AI‑generated content evades traditional content‑filtering, increasing the likelihood of supply‑chain exposure.
- Unchecked notification permissions broaden the attack surface of any organization that allows mobile or web browsing on corporate devices.
Who Is Affected — Consumer‑facing mobile browsers, ad networks, content‑aggregation platforms, and any enterprise that permits staff to browse personalized feeds on corporate‑managed devices.
Recommended Actions —
- Train users to deny “Allow notifications” prompts from unknown sites, especially those reached via feeds.
- Enforce MDM/EMM policies that block or require justification for notification permissions from non‑whitelisted domains.
- Deploy URL‑filtering and threat‑intel feeds to block known Pushpaganda domains and monitor outbound traffic for anomalous notification‑related requests.
Technical Notes — Attack vector: phishing‑style notification‑permission prompt delivered through AI‑generated clickbait pages; no specific CVE. Data at risk includes personal identifiers and payment details if victims follow scam links. Source: Malwarebytes Labs