Phishing attack hacker are abusing the notifications and push APIs on Android devices to send spam alerts that are customized to look like a missed call. Both APIs are used on mobile devices for push notifications – short messages intended to re-engage the user. Messages can be triggered by a local application or server.
The Notifications API lets us display notifications to the user. It is incredibly powerful and simple to use. Where possible, it uses the same mechanisms a native app would use, giving a completely native look and feel.
A security firm’s AI Phishing Service has intercepted a phishing attack campaign that is currently sending messages to mobile users with a custom icon for the app that triggers the alert. In this case, it’s Google Chrome.
To conceal the source, the hackers changed the browser icon to display “missed call” as if it were a missed call notification. The message indicates that the user has an iPhone XS waiting for them.
This is a very powerful social engineering scam because users often rely on visual indicators to identify the source of a warning. Scammers are looking to take advantage of the fact that we’re primed to identify certain icons we normally associate with system messages (in this case the icon of the telephone).
It is important to note that the message will only be displayed if the victim accepts notifications from the spam domain. This means that sites that have gained the trust of the user can be used for this type of phishing campaign.
Not all notification spam uses this trick to change the browser icon. However, they contain messages tempting enough to make a few victims. The security researchers saw this activity on Android phones. Indeed, push notifications for Safari on iOS are currently not fully supported.
However, the same approach is also suitable for the desktop. Safari and Chrome support web notifications can be used to create a fake card. If you quickly read the text and look at the Slack icon, you can easily convince the user to click on the alert and go to a phishing site that collects user credentials.
On mobile devices, the same warning is even more believable because of the name of Chrome, the app that triggers the alert, and the domain that sends spam. If the Chrome icon is changed, there is little evidence of tampering with the message because only the browser name and domain indicate the attempted fraud.