Just released Google Threat Intelligence Group research outlines how Russian threat actors are increasingly exploiting Signal’s built-in “linked device” feature by tricking Ukrainian military and government personnel into scanning malicious QR codes to grant attackers real-time access to the victim’s messages.
These attacks are often disguised as group invites, security alerts, and some even mimic military applications. Once the malicious QR code is scanned, it silently links the victim’s Signal account to a threat-actor controlled instance, allowing the threat actor to eavesdrop on the victim’s secure conversations in real-time; all without fully compromising the device.
Techniques used to successfully trick victims include:
-
Remote Phishing: Malicious resources masked as security alerts, as well as legitimate Signal group invites that redirect to a malicious site and pair a victim’s Signal messages to an actor-controlled device;
-
Tailored Phishing Kit: Tailored Signal phishing kit designed to appear as specialised applications, such as one mimicking components of the Kropyva application used by the Armed Forces of Ukraine for artillery guidance; and
-
Captured Devices: Forward-deployed Russian military forces, suspected to be assisted by APT44 (AKA Sandworm), have also linked Signal accounts from devices captured on the battlefield back to actor-controlled infrastructure for follow-on exploitation
“Russia’s intelligence services are increasing their efforts to compromise encrypted messaging apps like Signal, recognising their crucial role in sensitive communications by Western militaries, politicians, and other high-risk individuals,” said the report’s author, Dan Black, a principal analyst at Google Threat Research.
“The varied tactics being used by Russia to target Signal, ranging from remote phishing operations to close-access exploitation using physical access to target devices, provides an urgent warning for the escalating threat to the tools publics increasingly rely upon for secure and private communications,” he added. “We judge it highly likely that these tactics will proliferate outside of Ukraine and see more global use in the near-term future.”
In response to these research findings, the Signal team coordinated closely with Google Threat Intelligence Group to investigate this activity and subsequently pushed updates to Android and iOS to help protect against similar phishing campaigns in the future. Signal users should update to the latest version of the app on their mobile devices.
