Cybercriminals aligned with Russian threat groups are actively exploiting Signal’s linked devices feature to gain unauthorized access to user accounts. This attack method, observed by Google’s Threat Intelligence Group (GTIG), leverages malicious QR codes to hijack Signal accounts and intercept messages in real time.
How the Attack Works
The attackers take advantage of Signal’s legitimate functionality, which allows users to link multiple devices to their account. By crafting malicious QR codes that appear to be legitimate, they trick victims into linking their Signal account to a hacker-controlled device. Once linked, all incoming messages are delivered to both the victim and the threat actor, enabling continuous surveillance of private conversations.
Google has attributed these attacks to various Russia-backed threat actors, including UNC5792. These adversaries distribute malicious QR codes through:
- Fake Signal group invitations
- Fraudulent security alerts
- Phishing pages masquerading as Ukrainian military applications
GTIG reports that UNC5792 has hosted modified Signal group invite links on attacker-controlled infrastructure, making them appear identical to legitimate invitations.
Additional Threat Actors Targeting Signal Users
Other cyberespionage groups identified in these attacks include:
- UNC4221 (aka UAC-0185): Deploys phishing kits impersonating Kropyva, an artillery guidance application used by the Ukrainian military. The kit also delivers JavaScript-based spyware, PINPOINT, which collects user data and geolocation information.
- Sandworm (APT44): Uses a Windows Batch script named WAVESIGN to target Signal users.
- Turla: Operates a lightweight PowerShell script for infiltrating Signal accounts.
- UNC1151: Employs the Robocopy utility to exfiltrate messages from compromised desktops.
Growing Trend of Messaging App Exploits
The attack on Signal follows a similar campaign uncovered by Microsoft Threat Intelligence, where the Russian group Star Blizzard used a device-linking exploit to hijack WhatsApp accounts. Additionally, Microsoft and Volexity recently revealed that multiple Russian cyber actors are using a technique called device code phishing to compromise accounts on WhatsApp, Signal, and Microsoft Teams.
Google warns that the increasing focus on Signal by multiple threat groups highlights the growing threat against secure messaging platforms. These attacks are not limited to traditional cyber threats like phishing and malware but also include close-access operations, where an attacker gains temporary access to an unlocked device to link their own instance of Signal.
Fake Download Pages and SEO Poisoning
Alongside these phishing campaigns, security researchers have discovered a new SEO poisoning attack that uses fake download pages to distribute backdoored versions of applications like Signal, LINE, Gmail, and Google Translate. According to Hunt.io, these fake installers execute malicious actions such as:
- Extracting temporary files
- Injecting malicious processes
- Modifying security settings
- Establishing unauthorized network connections
The malware, identified as MicroClip, operates as an infostealer targeting Chinese-speaking users.
Protecting Your Signal Account
To mitigate the risk of account hijacking, Signal users should follow these security best practices:
- Verify device linking – Only scan QR codes from the official Signal website.
- Enable Registration Lock – This prevents unauthorized device linking without your PIN.
- Beware of phishing attempts – Avoid clicking on links or scanning QR codes from unknown sources.
- Monitor linked devices – Regularly review and remove unrecognized devices in Signal settings.
- Use strong authentication – Enable additional security measures where possible.
The surge in Signal-targeted attacks reinforces the importance of vigilance in securing messaging applications. With state-backed threat actors continually refining their techniques, proactive security measures are crucial to safeguarding sensitive communications.
Stay informed, stay secure.
Sources:
- Google Threat Intelligence Group (GTIG) Report: Google Security Blog
- Microsoft Threat Intelligence Report: Microsoft Security Blog
- Hunt.io Research: Hunt.io Blog