Google Threat Intelligence Group (GTIG) reveal an escalating campaign by multiple Russia-aligned threat actors targeting Signal Messenger users through sophisticated exploitation of the app’s “linked devices” feature.
These attacks, primarily focused on Ukrainian military personnel, government officials, journalists, and activists, aim to gain persistent access to encrypted communications amidst Russia’s ongoing invasion of Ukraine.
Signal’s end-to-end encryption architecture has long made it a preferred platform for sensitive communications.
However, state-sponsored adversaries have shifted tactics to bypass cryptographic protections by abusing legitimate platform features rather than attempting direct decryption.
While the GTIG analysts detected that the linked devices functionality, which allows simultaneous use of Signal across multiple devices via QR code pairing, has become the primary attack vector for groups including UNC5792, UNC4221, and APT44 (Sandworm).
Modified Group Invite Attacks
The most technically sophisticated method involves UNC5792’s manipulation of Signal group invitation protocols.
Attackers host counterfeit group invites on domains like “signal-groups[.]tech” containing malicious JavaScript that substitutes legitimate group join functionality with device-linking commands.
.webp)
Legitimate Signal group invite code typically contains:-
function doRedirect() {
var redirect="sgnl://join-group?..."
window. Location = redirect
}UNC5792 modifies this to:-
function doRedirect() {
var redirect="sgnl://linkdevice?uuid=h_8WKmzwam_jtUeoD_NQyg%3D%3D..."
window.location = redirect
}.webp)
This subtle code alteration tricks users into linking their account to attacker-controlled devices rather than joining a group.
Successful exploitation enables real-time message synchronization to adversary infrastructure without breaking encryption.
Parallel campaigns by UNC4221 employ military-themed lures, such as phishing pages mimicking Ukraine’s Kropyva artillery coordination system (Figure 5). These sites prompt users to “Sign in to Signal” using QR codes that link to attacker devices.
.webp)
This device-linking technique poses unique detection challenges, as it:-
- Leaves no cryptographic artifacts (exploits legitimate feature)
- Requires minimal endpoint malware (relies on user interaction)
- Enables persistent access without traditional C2 infrastructure
GTIG has observed complementary malware like PINPOINT being deployed to gather geolocation data via browser APIs, creating composite intelligence profiles.
The WAVESIGN batch script and Turla’s PowerShell modules demonstrate parallel efforts to exfiltrate Signal databases from compromised devices.
Signal has released updated Android/iOS versions with improved phishing detection, but users must manually enable two-factor authentication and audit linked devices.
The broader targeting of WhatsApp and Telegram suggests this tactic will proliferate across secure messaging platforms.
Organizations should prioritize user education on QR code risks and implement device auditing protocols alongside technical defenses.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting – Register Here