Recent cyberattacks have highlighted a vulnerability in Signal's device linking feature, allowing hackers to gain unauthorized access to user accounts. These attacks, primarily attributed to Russian-aligned threat actors, exploit the app's legitimate functionality to eavesdrop on communications.

Exploitation of Signal's Device Linking

The attacks utilize Signal's "linked devices" feature, which permits the app to be used on multiple devices simultaneously. By deploying malicious QR codes, hackers can link a victim's account to a device they control, enabling them to intercept messages in real-time.

Malicious QR Code Tactics

Threat actors, including groups identified as UNC5792 and UAC-0195, have been observed using QR codes disguised as legitimate group invites or security alerts. These codes are often embedded in phishing pages that mimic official Signal communications or specialized military applications.

  • UNC5792: Utilizes actor-controlled infrastructure to host fake Signal group invitations.
  • UNC4221: Targets Ukrainian military personnel with phishing kits mimicking the Kropyva application.

Additional Threat Actor Activities

Beyond UNC5792 and UNC4221, other groups such as Sandworm, Turla, and UNC1151 have also targeted Signal. These groups employ various techniques, including scripts and utilities, to exfiltrate messages and gather user data.

Broader Implications for Secure Messaging

The focus on Signal by multiple threat actors underscores a growing threat to secure messaging apps. This trend is not limited to remote operations like phishing but also includes close-access attacks where brief physical access to a device is exploited.

The link has been copied!