Russian phishing campaigns exploit Signal’s device-linking feature

Russian threat actors have been launching phishing campaigns that exploit the legitimate “Linked Devices” feature in the Signal messaging app to gain unauthorized access to accounts of interest.

Over the past year, researchers observed phishing operations attributed to Russian state-aligned groups that used multiple methods to trick targets into linking their Signal account to a device controlled by the attacker.

Device-linking phishing

In a report today, Google Threat Intelligence Group (GTIG) says that abusing Signal’s device linking feature is the “most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts.”

Threat actors leveraged the feature by creating malicious QR codes and deceiving potential victims into scanning them to allow Signal messages to synchronize with the attacker’s device.

It is a simple trick that does not require a full compromise of the target’s device to monitor their secure conversations.

GTIG researchers observed this method being adapted by the type of target. In a broader campaign, the attacker would disguise the malicious code as a legitimate app resource (e.g. Signal group invites) or as device pairing instructions from the legitimate Signal website.

For targeted attacks, the threat actor would add the malicious QR codes to phishing pages designed to be of interest to the potential victim, such as “specialized applications used by the ultimate targets of the operation.”

Additionally, GTIG noticed that the infamous Russian hacker group Sandworm (Seashell Blizzard/APT44) used malicious QR codes to access Signal accounts on devices captured on the battlefield by deployed military forces.

Another trick based on the device-linking feature that GTIG observed in suspected Russian espionage activity is altering a legitimate group invite page to redirect to a malicious URL that connects the target’s Signal account to a device controlled by the attacker.

This method was seen with an activity cluster tracked internally as UNC5792, which has similarities with an actor that Ukraine’s Computer Emergency Response Team (CERT-UA) refers to as UAC-0195, whose activity has been linked to attempts to compromise WhatsApp accounts.

The fake invitations had the legitimate redirect JavaScript code replaced with a malicious block that included Signal’s URI (Uniform Resource Identifier) for linking a new device (“sgnl://linkdevice uuid”) instead of the one for joining the group (“sgnl://signal.group/”).

When the target accepted the invitation to join the group, they would connect their Signal account with an attacker-controlled device.

Custom phishing kit

Another Russia-linked threat actor, that GTIG tracks as UNC4221 and CERT-UA as UAC-0185, used a phishing kit specifically created to target Signal accounts of Ukrainian military personnel.

The phishing kit impersonates the Kropyva software, which the Armed Forces of Ukraine use for artillery guidance, minefield mapping, or locating soldiers.

The device-linking trick in these attacks is masked by a secondary infrastructure (signal-confirm[.]site) created to impersonate the legitimate Signal instructions for the operation.

Attackers also used Kropyva-themed phishing to distribute malicious device-linking QR codes, and older operations lured with fake Signal security alerts hosted at domains impersonating the messaging service.

GTIG says it observed both Russian and Belarusian efforts to search for and collect messages from Signal app’s database files on Android and Windows using the WAVESIGN batch script, the Infamous Chisel malware, PowerShell scripts, and the Robocopy command-line utility.

The researchers underline that Signal is not the only messaging app Russian Russian threat actors have shown interest in recent months and pointed to the Coldriver campaign that targeted WhatsApp accounts of high-value diplomats.

This type of device-linking compromise is difficult to spot and protect against because there is no technical solution to monitor for the threat of newly linked devices, the researchers note.

They say that “when successful, there is a high risk that a compromise can go unnoticed for extended periods of time.”

Signal users are advised to update to the latest version of the application, which includes improved protections against the phishing attacks that Google observed.

Additional recommendations include activating the screen lock on mobile devices with a long and complex password, regularly checking the list of linked devices, exercising caution when interacting with QR codes, and enabling two-factor authentication.