Cyberthreats in push notifications

Almost all of us get them and are probably not even thinking about them half of the time we get them. But push notifications are part of our lives. So, what exactly are push notifications and more importantly; how do they pose a cyberthreat and how can we prevent them from being a threat? We’ll take a closer look at the little pop-up messages below.

What are push notifications?

First and foremost, we need to know what push notifications are. Push notifications are pop-up messages that are shown on a user’s device, either when they’re using it or when it’s locked. They work as a shortcut to messages on your device. Let’s say you’re browsing a website that retails clothes, and you get a pop-up message with a discount code you can use on the website; or you see a little message icon at the bottom of the right corner of your screen, saying the company has an employee ready to answer any questions you may have.

You can also get push notifications from social media platforms on your phone’s lock screen, so you know if you get any messages or notifications within the app.

The purpose of push notifications is usually to engage the user and provoke an immediate response to the notification compared to "older" means of communication, like emails, on your computer. Of course, emails have gotten the same effect as text notifications now if you have the app on your phone – push notifications appear in real time and our smart devices allow us to respond as quickly as possible.

Push notifications can also simply be:

• Reminders
• Calendar and events
• Ads

Push notification’s increased popularity

With the technological development of smart devices and constant messaging, push notifications have become a fundamental part of online communication. And this communication is essential between users, but also between a business and potential customers.

We live in a world connected by the internet and technology which means that businesses and tech developers have grabbed the chance of making communication easier and faster.

Since push notifications appear on a user’s device, even when the device is locked, it’s an obvious way of communicating and promoting a business. You can bring the user a good deal, a promo code or direct your marketing to a specific user.

For all users, push notifications have brought social media to be as accessible as possible – when we get a message, we can see it immediately and respond as soon as we want.

Exploitation of push notifications

With most good functions, threat actors find a way to exploit it. When you allow push notifications, you agree to different terms and conditions, including that the app has access to your data and can specify marketing to you (this is connected to cookies and what data you allow it to gather).

Some companies overdo their access to user accessibility meaning that they send out messages more often than you’d like. If you get many notifications from the same supplier, you can accidentally click on things you perhaps never intended to click on.

This is something hackers and malicious actors will exploit. Just like MFA bombing where the hacker spams your MFA app to get you to accept a notification because you get tired of the endless notifications. If hackers are sneaky enough they can get the same result from regular push notifications, if they’ve hacked their way into an app.

Malware in push notifications

Another thing that hackers can do to exploit push notifications is to spread malware via push notifications.

If we get a notification about a good deal or the like, we will usually click on the message without any further thoughts. And that is exactly what hackers know; this is an easy way for them to spread malware onto your device and thus get access to all your data.

Hackers usually create fake apps on different app stores and thus hide the malware inside said apps. You might think that you could recognize a fake app a mile away, but hackers have become very good at imitating apps and companies.

Malicious actors furthermore create fake ads and pay providers to share them – if the provider fails to do a proper check of the ad, they suddenly share advertisements that can lead people to malicious software which will be a flourishing business for the hackers.

Avoid the malware trap

We all want to avoid the hacker’s grasp, so here are a few things you can do to avoid getting malware through push notifications:

1. Limit the amount of push notifications you get

Firstly, it’s a good idea to get an overview of which apps and platforms you have allowed push notifications from. Once you know the scope of apps, you can consider limiting the amount of apps that send out push notifications. You can usually do this in the settings of your device.

2. Avoid clicking on unknown messages

It can be hard to distinguish between malicious and benevolent messages and push notifications, however, it can be crucial to consider what you click on – which is the case with all good cybersecurity. Take an extra look at the phrasing of the notifications, the visuals and who the sender is – if it looks unfamiliar in any sort of way, simply remove the notification and check if you have downloaded a genuine app.

3. Take a second look at apps

Lastly, we recommend taking a second look at the apps you download. If you find an interesting app at your app store, check if the app has any ratings, how many downloads it has (if possible) and check the description and release date. If you can see that the app was released recently and doesn’t really have much information about it, consider how important it is for you to download the app. An extra thought can save you and your data.

If you’re more interested in cyber threats and apps, we have a blog post where you can learn about 10 of the biggest cybersecurity threats there are today.