Scammers are pushing spam alerts disguised as missed phone calls by abusing the Notifications and Push APIs in Google Chrome on Android devices. Notification and Push APIs are used on mobile devices to send push notifications and short alerts to users.
The big picture
Researchers from Lookout observed a phishing campaign that pushes alerts in the form of missed calls to Android users with a custom Google Chrome icon.
“Scammers are looking to take advantage of the fact that we’re primed to identify certain icons we normally associate with system messages (in this case the icon of the telephone),” Jeremy Richards, a security researcher at Lookout, told BleepingComputer.
However, not all spam alerts use the trick of changing the browser’s icon, but they have messages that are attractive enough to target unsuspicious victims.
It is to be noted that alerts are not displayed on devices unless victims allow notifications from a domain. This implies that sites that have earned the trust of the user can be used to trick victims.
The spammy domains that push spam notifications on mobile devices include consumertestconnect[.]com, foundmoneyguide[.]com. Getitfree-samples[.]com. Click4riches[.]info, and yousweeps[.]com among others.
Spam alerts look credible on mobile devices
Richards noted that spam alerts are credible on mobile devices as it requires just Chrome's name, the app that triggers the notification, and the domain pushing the spam. When Chrome's icon is changed, it does not indicate the forged nature of the message, as the only thing that indicates the fake scam alert is the name of the browser and the domain.