A recent post to the r/xboxone sub-Reddit titled “How to stop these popups?” included a screenshot of a spam notification on an Xbox One. The poster is not alone. Another recent post to r/MicrosoftEdge complained of virus protection notifications appearing on an Xbox. A user on r/Xbox reported the same problem. The notifications are a new avenue for spam that may cause headaches for Xbox owners. “Cybercriminals always try to benefit from popular sources of entertainment, including gaming,” Boris Larin, a security researcher at Kaspersky, said in an email. “Users are highly susceptible to phishing attacks or clicking on malicious links when it comes to games, whether they’re looking to find cheats and pirated versions, or receive a legitimate-looking message through video game/console instant messenger.”
A Scan Has Detected a Virus on Your Device
I was able to replicate notification spam on my Xbox Series X. A search for Minecraft skins led to several websites that asked me to sign up for notifications in exchange for skins, prizes, or to run an antivirus check. The notifications, with icons and text defined by the website, began to appear on my Xbox even when I wasn’t using the Edge app. The notifications at first look identical to other Xbox app notifications, though opening the Xbox notification pane will reveal they originate in Edge. For example, one notification I received warned that a scan had detected a virus on my device. After a September update, users began to post about the problem that deployed the new, Chromium-based version of Microsoft Edge to Xbox game consoles. The new Edge is more capable than the version it replaces. It can even be used to access cloud streaming services like Nvidia GeForce Now or stream emulated versions of older games.
Malware Is Not a Concern, but Notifications Can Be Nefarious
Notifications can lure unsuspecting users into believing the notification is from a legitimate source. Notifications also use scare tactics to nudge user behavior. For example, a notification may claim an Xbox is infected with malware. Can an Edge notification infect an Xbox game console with malware? The answer, for now, is definitive: no. The Xbox One and Xbox Series X/S game consoles have a ‘security complex’ that prevents Xbox consoles from executing code not signed by Microsoft. The Xbox also isolates programs in a sandbox, so they can’t access the Xbox operating system in unintended ways. “It’s fair to say that modern video game consoles have better security than an average PC thanks to security features used to implement DRM and prevent piracy,” said Larin. “Unfortunately, such security features do not protect against phishing attacks, so users should be very careful.” Microsoft has not commented on the issue.
Xbox Users Should Be Cautious
The solution to notification spam lies in the hands of Xbox owners. It’s not a problem if you avoid the Microsoft Edge web browser, as this is the one way they can be approved. However, those who do use Edge should be careful not to approve prompts that appear. Xbox owners can also halt notifications by removing them from the list of approved websites in Edge. Microsoft provides a menu option with access to Microsoft Edge notification controls with every notification that Edge creates on the Xbox. However, this doesn’t entirely resolve the issue. The Xbox is used by a wide variety of people, including children, who may not understand the source of a notification or its legitimacy. As a result, Xbox owners should be wary about who uses the Edge browser and approach notifications with a hefty dose of skepticism.
