Adposhel adware takes over browser push notifications administration

Browser push notifications: a feature asking to be abused

“I’m seeing a lot of ads popping up in the corner of my screen, and the Malwarebytes scan does not show there is anything wrong. It says my computer is clean. So what’s happening?”

Our support team runs into questions like this regularly, but the volume seems to be increasing lately. In most of these cases, it helps to look at the “Notification permissions” of the browser displaying this annoying behavior. A good cleansing in that department might be just what you need to get rid of those “pop-ups.”

The problem is that the messages users are seeing are not pop-ups at all, but in fact “push notifications,” often referred to as simply “notifications.” We understand that naming them differently doesn’t make them any less annoying. But it does change our classification of such messages.

not so harmless

Some notifications are not simple advertisements, but rather misleading messages about the safety of your computer.

What are these notifications?

From the Mozilla Developer pages:

The Notifications API lets a web page or app send notifications that are displayed outside the page at the system level; this lets web apps send information to a user even if the application is idle or in the background. This article looks at the basics of using this API in your own apps.

What we can learn from this is that the notifications can originate from a website or from an app. We are going to focus on the case where a website is causing the problem. Any app showing you commercial messages outside of a browser window would get detected as adware by Malwarebytes, so these would not escape a scan.

However, website notifications can be displayed outside the browser window. Wait, what’s the difference between notifications and pop-ups again? A pop-up is a new browser window or tab, whereas notifications are more like tooltips. They are messages that are independent from any open websites.

Notifications show the domain from which they originate, so that could clue you in on the answer to another important question, which is:

How did I get them?

To receive browser notifications, a user must have first allowed them. In Firefox, the dialog to allow them looks like this:

Firefox allow prompt

While that seems pretty straightforward, there are trickier sites that use a bit of social engineering to get you to allow their notifications.

social engineering

The website visitors are led to believe that they have to click “Allow“ to see the video. In fact, if they click the “Allow” button, they will be redirected to another website, sometimes asking yet again to allow notifications, but meanwhile their clicking has allowed this site to show them notifications. And, mind you, the site does not have to be open in the browser for the notifications to pop up. As you can see, the fact that you are allowing notifications is a bit less clear in the Chrome prompt than it is in Firefox.

How do I disable them?

There are some options for disabling notifications. You can disable them altogether or you can disable notifications for specific domains, by removing them from your “Allow” list. You can even add them to your “Blocked” list.

example notifications

For every browser, the notifications look slightly different and the methods to disable them are slightly different as well. To make them easier to find, I have split them up by browser.

Chrome

To completely turn off notifications, even from an extension:

  • Click the three dots button in the upper right-hand corner of the Chrome menu to enter the Settings menu.
  • In the Settings menu and click on Privacy and Security.
  • Click on Site settings.
  • In that menu, select Notifications.
  • By default, the slider is set to Ask before sending (recommended), but feel free to move it to Block if you wish to block notifications completely.
Notifications settings Chrome

For more granular control, you can use this menu to manipulate the individual items. Note that the items with a jigsaw puzzle piece icon are enforced by an extension, so you would have to figure out which extension first and then remove it. But for the ones with the three dots behind them, you can click on the dots to open this context menu:

notifications options

Selecting Block will move the item to the block list. Selecting Remove will delete the item from the list. It will ask permission to show notifications again if you visit their site (unless you have set the slider to Block).

Shortcut: another way to get into the Notifications menu shown earlier is to click on the gear icon in the notifications themselves.

notification settings icon

This will take you directly to the itemized list.

Firefox

To completely turn off notifications in Firefox:

  • Click the three horizontal bars in the upper right-hand corner of the menu bar and select Options in the settings menu.
  • On the left-hand side, select Privacy & Security.
  • Scroll down to the Permissions section and click on the Settings button behind Notifications.
Firefox notifications permissions
  • In the resulting menu, put a checkmark in the Block new requests asking to allow notifications box at the bottom.
Firefox granular notifications control

In the same menu, you can apply a more granular control by setting listed items to Block or Allow by using the drop-down menu behind each item.

Opera

Where push notifications are concerned, you can see how closely related Opera and Chrome are.

  • Open the menu by clicking the O in the upper left-hand corner.
  • Click on Settings (on Windows)/Preferences (on Mac).
  • Click on Advanced and select Privacy & security.
  • Under Content settings (desktop)/Site settings (Android,) select Notifications.
Setting Opera on Android

On Android, you can remove all the items at once or one by one. On desktops, it works exactly the same as it does in Chrome. The same is true for accessing the menu from the notifications themselves. Click the gear icon in the notification, and you will be taken to the Notifications menu.

Edge

To disable web notifications in Windows:

  • Click the Start button in Windows (Windows icon).
  • Select Settings (gear icon).
  • Select System.
  • Select Notifications & actions.
  • Scroll down and select Microsoft Edge in the list of senders.
  • Here, you set the switch for Notifications to Off or change the notification properties.

You can also manage the notifications on a site-by-site basis in Edge:

  • Click the three dots button in the top-right corner and select Settings.
  • Scroll down and click on View advanced settings.
  • Under Notifications, click on Manage.
  • Here, you can switch notifications off for a specific website.

Safari

Launch Safari and go to Safari > Preferences, or press Command-Comma. Click on the Notifications tab. From there, you can manually disable/enable notifications from select sites, remove all notifications, or access your system-wide Notification Preferences.

Are these notifications useful at all?

While we could conceive of some cases where push notifications might be found useful, we would certainly not hold it against you if you decided to disable them altogether.

Web push notifications are not just there to disturb Windows users. Android, Chromebook, MacOS, even Linux users may see them if they use one of the participating browsers: Chrome, Firefox, Opera, Edge, and Safari. In some cases, the browser does not even have to be opened, and it can still display push notifications.

Be careful out there and think twice before you click “Allow.”

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.