We rely on app notifications to keep us in the loop about what’s going on. Imagine if you didn’t receive any notifications and missed out on the important news and stuff you rely on them for. But getting mysterious notifications can be just as worrying as not getting any.

And a lot of people have been getting “FCM Messages. Test Notification” or similar notifications from apps like Google Hangout and Microsoft Teams. So it’s natural that you’re worried and, at the same time, curious about this enigma. If you’ve been thinking what these are, or why you’re getting them, read on!

What is FCM Messages Test Notification

A lot of Android users have reported getting these FCM Messages notifications that look something like this:

FCM Messages
Test Notificationsss!!!

The number of S’s in the notification keeps varying. Now, the extra s’s and exclamation marks are evidence enough that there’s something fishy about these notifications. Then add in the factor that nothing happens when you open the app using these notifications; just the normal interface of the app opens as if you had not opened the app through this notification. There’s no trace of them. So, what exactly are these?

These notifications are a result of a vulnerability in the Firebase Cloud Messaging (FCM) Service. Firebase is a platform by Google that developers use to create mobile and web apps. It’s worth noting that many apps use FCM to deliver notifications.

Abhishek Dharani, a.k.a. ‘Abss‘, discovered the vulnerability after digging through the APK files for these apps. The APK files exposed sensitive API keys that anyone could find by going through the files with a fine-tooth comb. The vulnerability allowed him to send out these notifications to the mobile app users of the apps like Hangout, Microsoft Teams, Google Play Music, YouTube, etc.

And after tinkering with the logical conditions and expressions, they were even able to send notifications to non-subscriber users to notifications for these apps. There are even reports that these notifications were able to bypass the ‘quiet hours’ setting in Microsoft Teams when the pp technically should not deliver any notifications.


Is There Anything to Worry About?

As these notifications are harmless right now, there’s no need for worrying too much. But there’s no harm in being careful as someone can also use these notifications to send false information and carry out mass phishing attacks.

Google is already aware of the vulnerability and is investigating the matter. There’s no word of acknowledgment from Microsoft on the matter yet.

It’s worth noting that even though the notifications were part of a POC (proof of concept) by Abhishek and his team, any malicious attacker can also abuse the vulnerability in the future until the developers take swift action and do something about the exposed API keys.


Now that you know the reason behind these notifications, it should put your mind to rest. But you should also remain cautious and be on the lookout for if these notifications turn into something other than harmless by some attacker.