Pushpaganda: AI-Generated Fake News in Google Discover Is Now Targeting Your Employees' Phones

On April 14, 2026, HUMAN Security's Satori Threat Intelligence team exposed Pushpaganda — an AI-driven ad fraud and scareware operation that, at its peak, generated over 240 million malicious bid requests from 113 domains in a single seven-day window. The delivery mechanism is Google Discover, the personalized content feed that lives on every Android home screen and inside Chrome. If your employees carry Android phones and stay informed through that feed — and in Saudi Arabia, most of them do — this campaign has almost certainly reached their devices already.

How Pushpaganda Works: SEO Poisoning Meets Notification Hijacking

Unlike phishing emails that land in a quarantined folder, Pushpaganda bypasses corporate email security entirely. Threat actors used advanced SEO poisoning techniques to inject AI-generated, deceptible news articles into Google Discover's personalized content stream, targeting Android and Chrome users globally. When a user clicks one of these fabricated stories, they are prompted to enable browser push notifications — framed as a legitimate "subscribe for breaking news" request. From that moment, the attacker owns a persistent, silent delivery channel directly into the device. The notifications that follow deliver scareware messages: fake virus alerts, fraudulent financial warnings, and social engineering lures calibrated to extract credentials or payment.

Why the Real Risk Is Bigger Than Scareware

Most coverage of Pushpaganda has focused on its ad fraud revenue model. For a CISO at a Saudi bank, insurance company, or fintech, the more alarming implication is the notification persistence vector. A bank employee who subscribes — even unknowingly — to one of these malicious domains on a corporate-connected Android device has just handed an attacker a reliable, out-of-band delivery channel. That channel sits entirely outside the corporate email security stack, outside endpoint DLP controls, and outside the web proxy inspection layer. The attacker is not limited to scareware; the same subscription can deliver spoofed urgent IT alerts prompting re-authentication, fake SAMA compliance notices with credential-harvesting links, or fraudulent internal announcements impersonating HR or the security team. Persistent push access on a mobile device used for corporate email and banking approvals is a serious insider-threat amplifier.

The Google Discover Attack Surface and Saudi Mobile Exposure

Saudi Arabia carries one of the world's highest smartphone penetration rates, with Android commanding over 70% of the mobile market. Google Discover is a default, always-on feature on most Android devices and is widely used by financial sector employees as a daily news aggregator. This creates a disproportionate attack surface for Discover-based campaigns across the Kingdom's banking, insurance, and capital markets firms. SAMA's Cyber Security Framework (CSCC 2.0) requires member organizations to extend security controls across all channels through which sensitive data flows — explicitly including mobile devices used for corporate communication. NCA ECC Control 2-7 mandates mobile device management (MDM) policies that govern browser behavior and application permissions on devices accessing corporate resources. Pushpaganda exploits the enforcement gap that still exists between these policy requirements and how they are practically applied to employee devices in the field.

Recommended Controls: What Saudi Financial CISOs Must Prioritize

1. Audit and revoke malicious push notification subscriptions via MDM. Deploy a policy through Microsoft Intune, VMware Workspace ONE, or an equivalent MDM platform to enumerate Chrome notification subscriptions on corporate and BYOD devices. Bulk-revoke any subscription not explicitly whitelisted by IT security, and block the ability for users to grant new permissions without approval.
2. Enforce Chrome Enterprise notification blocking via Group Policy. Set the Chrome policy DefaultNotificationsSetting to 2 (blocked for all sites) across corporate devices, with NotificationsAllowedForUrls restricted to a curated whitelist. This eliminates the Pushpaganda attack surface at the policy layer, independent of which domains are active at any given time.
3. Enable Chrome's Enhanced Safe Browsing on all corporate endpoints. Google has patched the specific Pushpaganda domains, but the SEO poisoning technique is trivially replicable by copycat actors. Enhanced Safe Browsing provides real-time URL evaluation against Google's threat intelligence feeds, catching successive campaigns before employees encounter them.
4. Ingest Pushpaganda IOCs into SIEM and DNS filtering. HUMAN Security has published indicators of compromise for the 113 active Pushpaganda domains. Import these into Splunk, Microsoft Sentinel, IBM QRadar, or your DNS filtering solution (Cisco Umbrella, Infoblox BloxOne) and alert on outbound connections from corporate IP ranges or VPN sessions.
5. Update security awareness training to cover Google Discover as a phishing vector. Most Saudi financial institution awareness programs focus on email lures and SMS smishing. Add a dedicated module — with real Pushpaganda screenshots — covering AI-generated fake news in content feeds, the notification permission flow, and how to revoke subscriptions in Chrome settings.
6. Review BYOD policy compliance against SAMA CSCC Clause 3.3.5. Any BYOD program allowing employees to access corporate data on personal Android devices must require MDM enrollment as a precondition of access, including notification permission auditing as a baseline control. Document this review as evidence for your next SAMA examination cycle.

Conclusion

Pushpaganda demonstrates that the threat surface of a Saudi financial institution extends well beyond the perimeter firewall and the email gateway. When 240 million malicious ad requests flow through a legitimate, trusted platform like Google Discover in a single week, the question is no longer whether your employees encountered these ads — it is whether your controls detected and contained what happened next. The notification persistence vector is an immediate policy gap that demands MDM enforcement, Chrome policy hardening, and updated employee training. Waiting for the next Google patch cycle is not a mitigation strategy.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment covering mobile security controls, BYOD policy gaps, and NCA ECC compliance readiness.