Fake System Alerts on the Rise: Researchers Warn of Stealthy Push-Notification Attacks Stealing Personal Data

The420 Web Desk — November 25, 2025 | 9:34 AM

A fast-spreading phishing tactic is blurring the line between real device notifications and malicious alerts, posing a serious threat to users’ personal data worldwide. Cybersecurity analysts have identified a surge in browser-based attacks that disguise themselves as trusted system prompts, tricking users into handing over credentials for platforms like Netflix, PayPal, TikTok, MetaMask, and more.

When a Fake Notification Looks Real

Security researchers report that attackers are increasingly using web-push notifications—normally a routine browser feature—to mimic official system alerts. The attack begins when a user unknowingly allows notifications from a deceptive website. Once enabled, cybercriminals gain the ability to push fraudulent system-style warnings at any time, even after the user has closed the original page.

“The templates we uncovered impersonate providers such as MetaMask, Netflix, Cloudflare, PayPal, TikTok, and many others,” said Brenda Robb of BlackFog Security. “Each is crafted to resemble a legitimate security alert from these platforms.”

The technique exploits a core human instinct: trusting the device’s own notifications without question.

Matrix Push C2: A Coordinated Attack System

These attacks are not isolated. According to a new BlackFog threat-intelligence report, the alerts originate from a sophisticated command-and-control framework called Matrix Push C2. The platform weaponizes browser permissions to deliver a continuous stream of deceptive alerts.

The system utilizes three key tactics:

• Push notifications engineered to imitate system-level warnings
• Fake security messages invoking well-known brands
• Redirect chains leading to professional-looking credential-harvesting pages

BlackFog researchers described the platform as one that “turns web browsers into an attack-delivery vehicle” by exploiting permission settings users rarely reevaluate.

A Week of Attacks That Don’t Look Like Attacks

The discovery of Matrix Push comes amid a series of stealth-based cyber incidents that reflect a changing threat model.

Earlier this week, analysts uncovered Sturnus, a new Android banking trojan capable of capturing encrypted instant-message content by grabbing it directly from the device’s screen. Researchers also highlighted the rise of clipboard-based attacks, where malicious actors quietly access and extract sensitive information from copy-and-paste operations.

Together, these cases point to an emerging trend: attackers are shifting toward misusing built-in system features—notifications, clipboards, on-screen data—rather than deploying traditional malware that antivirus tools can easily detect.

Push-notification phishing is especially dangerous because it embeds itself into a trusted visual space, making malicious alerts almost indistinguishable from genuine system warnings.

A Growing, Persistent Threat

Experts warn that these attacks will not fade anytime soon. Several realities make the threat durable:

1. Phishing remains the most effective cybercrime tactic.
2. Operating systems will continue to support notification systems that attackers can mimic.
3. Cybercriminals are refining platforms like Matrix Push C2 to increase sophistication and scale.

Blocking notifications entirely isn’t feasible for most users, and visually verifying each alert is unrealistic during daily device use. The challenge, researchers say, lies in balancing convenience with security—a tension attackers are exploiting with increasing precision.