Google Android users were pestered last week by a series of fake notifications popping up on their devices.
According to Paul Ducklin of Naked Security by Sophos’, the string of phony popups first became an annoyance for users of the Google Hangouts app before bothering users of Microsoft Teams.
“Users all over the world, and therefore at all times of day (many users complained of being woken up unnecessarily), received spammy looking messages,” wrote Ducklin in a blog post published on August 28.
“To be clear, it wasn’t Microsoft testing notifications in the Teams app for Android. The bogus alerts caught the software giant off guard, too.”
From their content, the notifications don’t appear to be malicious or criminal in intent. No dubious links or calls to action were included, with messages simply stating the header “FCM Messages” followed by the text “Test Notification!!!!”
Pondering the identity of the sender and their motive, Ducklin commented: “The messages did indeed look like some sort of test—but by whom, and for what purpose?
“The four exclamation points suggested someone of a hackerish persuasion—perhaps some sort of overcooked ‘proof of concept’ (PoC) aimed at making a point, sent out by someone who lacked the social grace or the legalistic sensitivity of knowing when to stop.”
Ducklin suggests that the spate of fake notifications may be connected to a recent discovery made by a cybersecurity researcher and bug bounty hunter calling themself “Abbs.” On August 17, Abbs claimed to have earned $30K for identifying a coding vulnerability in numerous Android apps that could enable someone to highjack the Firebase Cloud Messaging (FCM) service.
Describing the weakness, Abbs exclaimed: “A malicious attacker could control the content of push notifications to any application that runs the FCM SDK and has its FCM server key exposed, and at the same time send these notifications to every single user of the vulnerable application!
“These notifications could contain anything the attacker wants including graphic/disturbing images (via the ‘image’: ‘url-to-image’ attribute) accompanied with any demeaning or politically inclined message in the notification!”
The author of the notifications, which were promptly halted by Google and Microsoft, has yet to be identified.
Source: Infosecurity Magazine