A new fraudulent campaign to hijack Signal accounts has been detected. Attackers trick victims into scanning a QR code, authorizing the scammers’ device. Once authorized, the attacker gains access to all the victim’s correspondence that has appeared since authorization, as well as with the ability to download message history for the last 45 days.
Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger
Google’s Threat Intelligence Group discovered a fraudulent campaign targeting Signal users. Several Russia-aligned threat actors are actively targeting messenger accounts, used by individuals of interest to Russian intelligence services. This surge in activity appears to be driven by wartime demands to access sensitive communications, particularly within government and military circles.
In brief, attackers exploit Signal’s “linked devices” feature, tricking victims into scanning malicious QR codes that link their Signal accounts to adversary-controlled devices. This allows real-time message interception without needing full-device compromise. While Ukraine remains the primary target of these attacks, there are growing concerns that these tactics will be used globally.
Technical Details of Signal Linked Devices Hack
The attack method primarily exploits Signal’s “linked devices” feature, which is designed to allow users to connect additional devices to their account. Attackers generate malicious QR codes that, when scanned, add an adversary-controlled instance to the victim’s account. From that moment, messages are delivered to both the victim and the attacker simultaneously. This allows for persistent surveillance.
Russian-linked groups employ various phishing techniques to distribute these malicious QR codes. Some campaigns disguise them as legitimate Signal group invites. However, they redirect users to compromised URLs that execute the linking process.
For example, UNC5792, a threat actor tied to Russian intelligence, modifies legitimate Signal group invite pages by replacing the standard redirection code with a link that initiates device pairing. Instead of joining a group, victims unknowingly grant attackers access to their private messages.
Another group, UNC4221, has developed a specialized Signal phishing kit. It mimics official military applications, such as the Ukrainian Armed Forces’ Kropyva artillery guidance system. This kit either embeds malicious QR codes within phishing pages or redirects users to fake device-linking instructions. This is further increasing the likelihood of successful compromise.
Beyond QR code phishing, Russian cyber actors also employ malware to exfiltrate Signal database files from compromised Windows and Android devices. APT44 has deployed WAVESIGN, a Windows Batch script that extracts messages from Signal databases and uploads them via Rclone.
Meanwhile, malware like Infamous Chisel targets Android devices, searching for and exfiltrating Signal’s database files. Other groups, including Turla and UNC1151, have used PowerShell scripts and command-line utilities to steal Signal messages from compromised systems.
What’s Wrong With QR Codes?
Unfortunately, QR codes present several security risks, primarily due to their inherent opacity. Users cannot see where they lead until they are scanned. Attackers exploit this by replacing legitimate QR codes with malicious ones. They do this either physically (e.g., placing stickers over real codes) or digitally (e.g., swapping images in online resources). Users often scan and approve QR codes without scrutiny, making them an attractive attack vector.
Additionally, Signal and other messengers should enhance its security measures by adding more explicit warnings during the device-linking process. The average user is not well-versed in cybersecurity, and small friction points in the authentication process could prevent inadvertent compromises. A simple “Are you sure?” prompt is simply not enough. For example, users should be required to type “YES” in capital letters or perform additional verification steps to ensure they understand the implications of linking a new device.
How To Stay Safe
To avoid falling victim to such scams, always verify the source of a QR code before scanning it. If you are linking a device to Signal, ensure that you initiate the process yourself through the app’s official settings rather than scanning codes from external sources. Be particularly wary of QR codes received via messages, emails, or websites that claim to be from Signal or trusted contacts.
Ultimately, the best defense against these attacks is vigilance. Attackers rely on social engineering and user complacency to succeed. By fostering greater awareness and caution when scanning QR codes, users can significantly reduce their risk of compromise.
