Hackers are targeting Signal with new QR code-linked cyberattack

(Image credit: Pixabay)

Google researchers are warning of an ongoing phishing campaign
It distributes QR codes which grant the attackers access to people's Signal accounts
The targets are mostly military personnel, experts warn

Russian state-sponsored threat actors have been increasingly targeting Signal Messenger users, with QR code-powered phishing attacks, malware, and more, experts have warned

A report from Google’s Threat Intelligence Group (GTIG) notes Signal’s use among military personnel, politicians, journalists, activists, and other high-risk groups has lately become widespread, triggering Russian state-sponsored threat actors’ increasing interest, particularly since the beginning of the Russo-Ukrainian war.

As a result, different threat actors (most notably APT44 and UNC5792) have been trying to abuse the “linked devices” feature in the attack. Linked devices allows users to connect multiple devices, such as laptops, tablets, and mobile devices, to the same account. To simplify the login process, users can scan a QR code from a device that’s already logged in, instead of typing in a password, or registering a new service.

QR codes

That being said, cybercriminals have started sending out phishing emails with invites to fake groups, different security alerts, and similar, which also carry a QR code. If the victim scans it, the attacker’s device gets logged into their account, getting access to contacts, messages, and more.

Since the phishing email doesn’t carry a malicious link, or attachment, that can be scanned by email security solutions, these emails often make it past filters and into people’s inboxes.

Beyond phishing, Russian and Belarusian threat groups are also using malware and specialized tools to exfiltrate Signal messages directly from compromised Android and Windows devices.

These efforts include scripts like WAVESIGN, which periodically extracts messages from Signal’s database, and Infamous Chisel, a known Android malware variant. Other actors, such as Turla and UNC1151, have leveraged PowerShell and command-line utilities to steal stored Signal messages from compromised computers, as well.

United Healthcare data breach may have affected 190 million Americans
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.