Connect with us

Hi, what are you looking for?


Malware & Threats

Push Technology Used in Mobile Attacks

Researchers have detected an Android trojan that abuses the web push technology. In its benign use, web push is used by legitimate websites — such as news sites — to send out new event notifications. The less benign use is to employ the technology to send out what amounts to phishing notifications.

Researchers have detected an Android trojan that abuses the web push technology. In its benign use, web push is used by legitimate websites — such as news sites — to send out new event notifications. The less benign use is to employ the technology to send out what amounts to phishing notifications.

Android.FakeApp.174 was discovered by Doctor Web researchers in two apps on Google Play. These have since been removed. The malware pretends to be the official app of a major brand. However, when the app is launched, it opens a series of websites in Chrome. Each website asks the user to allow notifications — sometimes openly, and sometimes disguised as verification proof that the user is human and not a robot.

If notifications are allowed by the user, those websites start sending out dubious content. The notifications are received and displayed in the Android status bar even if the browser is closed, and even if the app has been removed. The contact is now between the website and the device — and the user has given permission for the website to contact it. 

The content delivered is dubious to say the least, “from false notifications about cash bonuses or transfers or new messages on social media to advertisements of horoscopes, casinos, goods and services, even various ‘news’.” Since the attacker has control over the notifications, it could be anything. Examples found by Doctor Web include links to casino sites, adult sites, phishing sites, and snake oil medicines. 

“Many of these resources,” warn the researchers, “are involved in well-known fraudulent schemes for stealing funds, but attackers can also launch an attack to steal confidential data at any time. For example, by sending an ‘important’ notification via the browser on behalf of a bank or a social network. Potential victims can think the fake notification is real and tap it only to be redirected to a phishing site, where they will be prompted to indicate their name, credentials, email addresses, bank card numbers, and other confidential information.”

Abuse of web push technology is not new and not limited to mobile applications. Malwarebytes published a separate report yesterday warning that attackers are using the same approach with browser extensions for Chrome and Firefox. “These threats pose as useful plugins then haggle users with notifications.”

Malwarebytes classifies this category of extension as PUP.Optional.extension_name. PUP stands for ‘potentially unwanted program’. Optional indicates that some genuine functionality is usually offered, and the user chooses to install it.

Advertisement. Scroll to continue reading.

Two examples are discussed: StreamAll for Chrome, and a family of Firefox extensions that Malwarebytes calls Trojan.FBSpammer. The primary purpose of StreamAll is to get the user to accept notifications — and therefore unrequested adverts — while promoting itself as a movie search and stream extension.

The second family of push PUPs is downloaded from sites that try to convince users they need a Flash player update. Like StreamAll, they ask for notifications to be allowed, and then push out adverts from an ad provider. But this family goes further. If the user is logged into Facebook, the extension will join the user to some Facebook groups, and then spam the members — giving, says Malwarebytes, “your Facebook reputation a quick shove into the cellar.”

The solution to abused push technology is to be very careful where it is allowed. There are some genuinely valuable uses of the technology, so it would be counterproductive to simply deny all — but care needs to be taken. This goes for both browser extensions and mobile apps.

Related: The Battle With “Potentially Unwanted” Programs in the Enterprise 

Related: Malwarebytes Scores Legal Win Over Enigma Software 

Related: Behind the Scenes in the Deceptive App Wars 

Related: Researchers Expose Huge Ad Scam Operation

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...