The Robot Behind the Feed
- Javier Conejo del Cerro
- hace 7 horas
- 3 Min. de lectura
What looks like a personalized news feed has quietly become a programmable machine. In the Pushpaganda campaign, attackers turned Google Discover into an automated distribution system — a robot that feeds users AI-generated stories, captures their attention, and converts it into revenue through deception. This is not just ad fraud. It is the industrialization of trust manipulation at scale.
Phase 1: Training the Robot
The attack begins by poisoning search and discovery mechanisms. Threat actors deploy SEO manipulation techniques and generate large volumes of AI-written “news” content across more than 113 domains. These pages are designed not to inform, but to rank, blend in, and be picked up by Google Discover’s personalization engine.
By aligning content with trending topics and user interests, the attackers effectively “train” the algorithm to surface their malicious pages. At its peak, this system generated approximately 240 million bid requests in just seven days, indicating massive reach and automated traffic generation.
Phase 2: Hooking the User
Once surfaced in Discover, the content appears legitimate. Users click, expecting news — but land on controlled domains filled with AI-generated articles engineered to create urgency or fear.
Here, the robot shifts from distribution to engagement. The pages prompt users to enable browser push notifications. This is the critical moment: instead of exploiting a vulnerability, the attackers exploit trust and behavior.
With one click, the user unknowingly grants persistent access.
Phase 3: The Notification Engine
After subscription, the system activates its core function: automated scareware delivery.
Push notifications begin to display alarming messages — fake legal warnings, security alerts, or urgent issues — designed to trigger immediate action. These messages redirect users to additional attacker-controlled domains, creating continuous traffic loops.
Each click generates ad impressions and revenue. The user becomes part of a monetization engine driven entirely by manipulation rather than malware.
Phase 4: Scaling the Machine
Pushpaganda does not operate in isolation. It connects to a broader fraud infrastructure, such as the Low5 ecosystem — a network of over 3,000 domains and 63 Android apps, capable of generating up to 2 billion bid requests per day across 40 million devices.
This shared monetization layer allows multiple threat actors to reuse the same infrastructure. Even if one campaign is disrupted, the underlying system persists, enabling rapid replication and resilience.
The robot does not stop. It evolves, scales, and continues feeding.
Phase 5: Persistence Without Malware
Unlike traditional campaigns, Pushpaganda achieves persistence without installing malware. Instead, it leverages browser permissions, algorithmic trust, and user behavior.
The attack chain avoids detection by:
Operating within legitimate platforms (Google Discover, browsers)
Using real devices and organic traffic patterns
Replacing code execution with psychological triggers
This marks a shift: the system itself becomes the attack surface.
Pushpaganda demonstrates a fundamental transformation in cyber threats. Attackers are no longer just breaking into systems — they are programming ecosystems.
By combining AI-generated content, SEO manipulation, and push notification abuse, they have built a self-sustaining robot that converts trust into revenue at scale. The abuse of discovery platforms like Google Discover shows how even trusted interfaces can be weaponized when algorithms are manipulated.
Defending against this model requires more than blocking malware. It demands continuous visibility into content sources, stricter control over browser permissions, and proactive identification of fraud infrastructure.
Because when the robot controls the feed, the attack is no longer outside the system.
It is the system.
The Hacker News
Comentarios