The scheme used advanced SEO techniques and AI-generated content to inject deceptive news stories into Google Discover and push users into persistent browser notifications that deliver scareware and financial scams
HUMAN’s Satori Researchers Identify Novel Ad Fraud and Scareware Threat, Pushpaganda
NEW YORK, April 14, 2026 (GLOBE NEWSWIRE) — HUMAN Security, Inc., the trust layer for digital customer experiences in the agentic era, today announced that its Satori Threat Intelligence and Research Team has identified a novel ad fraud and scareware threat dubbed Pushpaganda. Google confirms it has already rolled out a fix for this issue.
Named for the push notifications central to the scheme, Pushpaganda generated invalid organic traffic from real mobile devices by tricking users into subscribing to persistent and alarming browser notifications. At its peak, HUMAN observed 113 domains and roughly 240 million bid requests associated with Pushpaganda domains in a single seven-day period. While the operation initially targeted users in India, the threat expanded to impact users in Australia, the United States, and beyond.
“Pushpaganda showed how quickly threat actors use AI to hijack trusted discovery surfaces such as Google Discover feeds, turning routine news and content streams into engines for scareware, deepfakes, and financial fraud,” said Gavin Reid, CISO at HUMAN. “By combining Satori’s threat intelligence with HUMAN’s ad and click fraud defenses, we are cutting off these operations at the infrastructure level so that partners and platforms can protect their users.”
“We keep the vast majority of spam out of Discover through robust spam-fighting systems and policies against emerging forms of low quality, manipulative content. Prior to learning of this report, we launched a fix for the spam issue in question, maintaining our high bar for quality content on Discover,” said Jennifer Kutz, Communications & Public Affairs at Google.
The scheme’s primary mechanism for luring unsuspecting users was through Google’s Discover feeds, the personalized content feed on the homepage of Google Search on mobile devices — a novel technique observed by HUMAN. The threat actors used advanced SEO techniques to inject deceptive news stories containing AI-generated content into personalized content streams on Android and Chrome. Once a user was lured to an actor-controlled domain, they were manipulated into enabling push notifications that later delivered scareware, fake legal threats, and financial scams. When clicked, these notifications redirected users to additional sites owned by the threat actors, generating “organic” traffic to the ads on those sites, which the threat actors then used to cash out.
