Google Threat Intelligence Group (GTIG) reveal an escalating campaign by multiple Russia-aligned threat actors targeting Signal Messenger users through sophisticated exploitation of the app’s “linked devices” feature. While the GTIG analysts detected that the linked devices functionality, which allows simultaneous use of Signal across multiple devices via QR code pairing, has become the primary attack vector for groups including UNC5792, UNC4221, and APT44 (Sandworm). Signal has released updated Android/iOS versions with improved phishing detection, but users must manually enable two-factor authentication and audit linked devices. Attackers host counterfeit group invites on domains like “signal-groups[.]tech” containing malicious JavaScript that substitutes legitimate group join functionality with device-linking commands. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This subtle code alteration tricks users into linking their account to attacker-controlled devices rather than joining a group. The WAVESIGN batch script and Turla’s PowerShell modules demonstrate parallel efforts to exfiltrate Signal databases from compromised devices. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Feb 2025 12:55:04 +0000