Russian Threat Actors Exploit Signal’s Linked Devices Feature for Espionage

Russian state-aligned threat actors have increasingly targeted Signal Messenger accounts through phishing campaigns that exploit the platform’s "Linked Devices" feature. Findings from Google Threat Intelligence Group (GTIG), these operations have been observed over the past year, with attackers tricking victims into linking their Signal accounts to adversary-controlled devices. The primary objective of these operations is to intercept sensitive communications from government officials, military personnel, journalists, and other high-value targets. GTIG has identified multiple Russia-aligned groups leveraging QR code-based phishing techniques to gain unauthorized access to Signal accounts to allow attackers to passively monitor conversations in real-time.

The "Linked Devices" feature in Signal allows users to connect multiple devices to a single account by scanning a QR code. Threat actors abuse this functionality by embedding malicious QR codes in phishing pages, disguising them as legitimate Signal group invites or security alerts. UNC5792 (aka. UAC-0195), a threat cluster linked to Russian espionage, has been observed modifying legitimate Signal group invite pages to include a redirect to a malicious URL, which, when scanned, connects the target’s Signal account to an attacker-controlled device. Similarly, UNC4221 (aka UAC-0185), has deployed a phishing kit impersonating Kropyva, a software used by Ukrainian military forces. This kit tricks targets into scanning fraudulent QR codes, granting attackers persistent access to secure communications.

Beyond phishing, Russian and Belarusian actors have been actively searching for and extracting Signal messages from compromised devices. Sandworm (APT44) has leveraged the WAVESIGN batch script, Infamous Chisel malware, PowerShell scripts, and the Robocopy command-line utility to exfiltrate Signal data from Android and Windows devices. These tactics indicate a broader operational emphasis on compromising secure messaging applications to support military intelligence objectives. GTIG warns that these methods are particularly challenging to detect, as Signal does not provide centralized logging for newly linked devices, allowing compromises to persist undetected for extended periods.

In response to these threats, Signal has released updates for its Android and iOS applications, implementing security enhancements to mitigate QR code phishing risks. GTIG recommend users regularly audit linked devices, enable strong screen lock passwords, avoid scanning unsolicited QR codes, and keep their applications updated. Additionally, enabling two-factor authentication where possible and using Lockdown Mode on iOS devices can provide an additional layer of security.