Signal Users Warned: Russian Hackers Scam Devices With Qr Code Attacks

Russia-aligned Hackers Spying on Signal Users with QR Code Scams

Russia-aligned hackers have been spotted using device-linking QR codes to phish Signal users into surreptitiously linking their devices. This tactic is part of a growing trend in Russian cyberwarfare, which has been using Ukraine as a test lab for its latest hacking techniques.

The threat actors, affiliated with the Ukrainian military intelligence GRU, have been posting malicious “linking” QR codes masquerading as group invites, security alerts, or specialized applications used by the Ukrainian military. These codes are designed to swap legitimate features like QR-code group invites and QR-code device linking invisibly, deceiving users into linking their devices to a new one controlled by an eavesdropper.

Google’s Threat Intelligence Group has revealed that Russia-linked hacker groups, named UNC5792 and UNC4221, have been targeting Signal users with these phishing messages. The attackers exploit the app’s linked devices feature, which allows one account to be used on multiple devices, to establish a connection between the victim’s device and an eavesdropper.

“This is exactly like a group invite, but when you scan it, it links your device to theirs instantly,” warns Dan Black, a Google cyberespionage researcher. “All your messages are now being delivered in real-time to the threat actor while you’re receiving them.”

Signal has rolled out an update for iOS and Android designed to counter this trick, which includes new safeguards that warn users when they link a new device and checks with them again at a randomized interval. The app also requires a form of authentication like entering a passcode or using FaceID/TouchID on iOS to add a new linked device.

“We’re really grateful to the Google team for their help in making Signal more resilient to this type of social engineering,” says Josh Lund, Signal’s senior technologist. “These recent improvements will really help keep users safe.”

Signal users must be aware of this phishing technique and take necessary precautions when linking devices or receiving group invites via QR code. Users can protect themselves by verifying the authenticity of QR codes before scanning them, being cautious of suspicious messages, and updating their app to the latest version.

The incident highlights the ongoing threat of Russian cyberwarfare and the need for users to remain vigilant in protecting their online security.