Feb 20, 2025 12:40:00

Google warns that multiple Russian threat actors are targeting messaging apps such as Signal to gather intelligence

The Google Threat Intelligence Group (GTIG) has reported that threat actors linked to Russian intelligence agencies are increasing their efforts to compromise accounts on the messaging app Signal. Similar techniques are being used on other apps, including Signal, WhatsApp, and Telegram, and the GTIG has issued a warning to help the community protect themselves from threats.

Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Cloud Blog

https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/

Russia-linked APTs target Signal messenger

https://securityaffairs.com/174397/cyber-warfare-2/russia-linked-threat-actors-exploit-signals-linked-devices-feature.html

Russia-aligned hackers are targeting Signal users with device-linking QR codes - Ars Technica
https://arstechnica.com/information-technology/2025/02/russia-aligned-hackers-are-targeting-signal-users-with-device-linking-qr-codes/

Signal is known as a messaging app that is considered highly secure, having been given the highest rating of ' Most Secure Messaging App ' by the Electronic Frontier Foundation.

Its popularity among those targeted for espionage and surveillance, including politicians, journalists, military personnel, activists, and other at-risk communities, makes it a valuable app for adversaries looking to intercept sensitive information.

According to GTIG, threat actors attacking Signal are exploiting the 'Linked Devices' feature, which allows users to sync messages exchanged between the desktop and app versions of Signal. Users cannot sync their past message history or transfer their past history to other devices.

Linked Devices – Signal Support
https://support.signal.org/hc/ja/articles/360007320551-Linked Devices

When adding a device to the 'Linked Devices' feature, a QR code is scanned. According to GTIG, if a malicious QR code linked to a 'Signal instance controlled by a threat actor' is scanned, messages will be sent synchronously in real time to both the victim and the threat actor.

Malicious QR codes can be loaded by disguising themselves as group invitations , warning messages, or legitimate pairing procedures. In one case, a malicious QR code was embedded in a phishing page disguised as a special application used by the Ukrainian military.

In addition, there have been cases where 'UNC5792,' a group tracked as part of a Russian espionage operation, has been altering legitimate links on group invite pages to redirect to malicious URLs in order to compromise Signal accounts.

In addition to device-specific targeting, the theft of Signal database files has also been observed on Android and Windows devices. These attacks have been attributed to threat actors linked to the Russian government as well as UNC1151, a group associated with Belarus, a pro-Russian state.

According to GTIG, while attacks in recent months have mainly targeted Signal, they are sure to intensify in the near future and pose a threat to messaging apps as a whole. GTIG lists the following as countermeasures against attacks targeting personal devices:

- Enable screen lock on all mobile devices and use complex passwords
- Update your OS and apps to keep them up to date.
- Regularly check the Signal settings screen for any suspicious connected devices.
Be wary of QR codes disguised as app updates, group invitations, or legitimate notifications, or of requests for immediate action.
If available, implement two-factor authentication using fingerprint, facial recognition, security key, or one-time password to verify each login or link to a new device.
-Android users should enable Google Play Protect
- iPhone users should consider using lockdown mode.