Android Users Spammed With Fake Missed Call Alerts
Scammers abuse the notifications and push APIs on Android devices to send spam alerts that are customized to look like a missed call.
Both APIs are used on mobile devices for push notifications – short messages intended to re-engage the user. Messages can be triggered by a local application or server.
“The Notifications API lets us display notifications to the user. It is incredibly powerful and simple to use. Where possible, it uses the same mechanisms a native app would use, giving a completely native look and feel,” reads the description for the Notifications API.
Chrome’s icon change by the scammer
The Lookout’s KI Phishing Service has intercepted a phishing campaign that is currently sending messages to mobile users with a custom icon for the app that triggers the alert. In this case, it’s Google Chrome.
To hide the origin, the fraudsters changed the browser icon to display “missed call” as if it were a missed call notification. The message indicates that the user has an iPhone XS waiting for them.
This is powerful social engineering because users often rely on visual indicators to identify the source of a warning.
Jeremy Richards, a security researcher at Lookout, in a statement to BleepingComputer said “Scammers are looking to take advantage of the fact that we’re primed to identify certain icons we normally associate with system messages (in this case the icon of the telephone),”.
It is important to note that the message will only be displayed if the victim accepts notifications from the spam domain. This means that sites that have gained the trust of the user can be used for this type of phishing campaign.
The following is a brief list of domains that send spam via mobile device push notifications:
Not all notification spam uses this trick to change the browser icon. However, they contain messages tempting enough to make a few victims.
Same approach for desktops
Richards saw this activity on Android phones. Indeed, push notifications for Safari on iOS are currently not fully supported. However, the same approach is also suitable for the desktop. Safari and Chrome support web notifications can be used to create a fake card. If you quickly read the text and look at the Slack icon, you can easily convince the user to click on the alert and go to a phishing site that collects user credentials.
On mobile devices, the same warning is even more believable because of the name of Chrome, the app that triggers the alert, and the domain that sends spam. If the Chrome icon is changed, there is little evidence of tampering with the message because only the browser name and domain indicate the attempted fraud.
Peter Beverloo – Google software engineer has created a notification generator to test how a push card that appears on desktops and mobile devices. The tool allows you to enter a custom title and text for the message and add a selection of images like; icon, badge, picture, and actions.