Fake Missed Call Notifications Used Against Android Users

Jeremy Richards, an expert at Lookout, told BleepingComputer journalists about a new trick scammers are using against Android device users. Attackers are abusing the Notifications and Push API functionality, as well as using Google Chrome for Android, to display fake missed call notifications to users.

As shown in the screenshots below, scammers disguise their malicious activity as missed calls (for example, from someone named Esmeralda) and sometimes accompany their “bait” with a message claiming the victim has won an iPhone XS.

How the Scam Works

The researcher emphasizes that such messages can only be seen if the user themselves allows notifications from a suspicious domain. This is a worrying sign, as even trusted websites can be compromised to conduct similar phishing campaigns.

Domains Sending Fake Push Notifications

Currently, experts have found that fake push notifications are coming from the following domains:

• consumertestconnect.com
• foundmoneyguide.com
• getitfree-samples.com
• click4riches.info
• yousweeps.com (this domain hosts dozens of template sites for various brands)

Not Just an Android Problem

Jeremy Richards notes that scammers can use the same trick against desktop users, since browsers like Safari and Chrome support web notifications that can be made to look legitimate.

BleepingComputer journalists also point out that Google engineer Peter Beverloo has created a special notification generator that can be used to test how push notifications appear on both desktop and mobile devices.