Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Hackers Exploit Signal’s Linked Devices Feature to Hijack Accounts via Malicious QR Codes

The Hacker News by The Hacker News
February 19, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Feb 19, 2025Ravie LakshmananMobile Security / Cyber Espionage

Multiple Russia-aligned threat actors have been observed targeting individuals of interest via the privacy-focused messaging app Signal to gain unauthorized access to their accounts.

“The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate ‘linked devices’ feature that enables Signal to be used on multiple devices concurrently,” the Google Threat Intelligence Group (GTIG) said in a report.

In the attacks spotted by the tech giant’s threat intelligence teams, the threat actors, including one it’s tracking as UNC5792, have resorted to malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance.

As a result, future messages get delivered synchronously to both the victim and the threat actor in real-time, thereby granting threat actors a persistent way to eavesdrop on the victim’s conversations. Google said UAC-0195 partially overlaps with a hacking group known as UAC-0195.

Cybersecurity

These QR codes are known to masquerade as group invites, security alerts, or legitimate device pairing instructions from the Signal website. Alternatively, the malicious device-linking QR codes have been found to be embedded in phishing pages that purport to be specialized applications used by the Ukrainian military.

“UNC5792 has hosted modified Signal group invitations on actor-controlled infrastructure designed to appear identical to a legitimate Signal group invite,” Google said.

Another threat actor linked to the targeting of Signal is UNC4221 (aka UAC-0185), which has targeted Signal accounts used by Ukrainian military personnel by means of a custom phishing kit that’s designed to mimic certain aspects of the Kropyva application used by the Armed Forces of Ukraine for artillery guidance.

Also used is a lightweight JavaScript payload dubbed PINPOINT that can collect basic user information and geolocation data through phishing pages.

Outside of UNC5792 and UNC4221, some of the other adversarial collectives that have trained their sights on Signal are Sandworm (aka APT44), which has utilized a Windows Batch script named WAVESIGN; Turla, which has operated a lightweight PowerShell script; and UNC1151, which has put to use the Robocopy utility to exfiltrate Signal messages from an infected desktop.

The disclosure from Google comes a little over a month after the Microsoft Threat Intelligence team attributed the Russian threat actor known as Star Blizzard to a spear-phishing campaign that leverages a similar device-linking feature to hijack WhatsApp accounts.

Last week, Microsoft and Volexity also revealed that multiple Russian threat actors are leveraging a technique called device code phishing to log into victims’ accounts by targeting them via messaging apps like WhatsApp, Signal, and Microsoft Teams.

“The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term,” Google said.

Cybersecurity

“As reflected in wide ranging efforts to compromise Signal accounts, this threat to secure messaging applications is not limited to remote cyber operations such as phishing and malware delivery, but also critically includes close-access operations where a threat actor can secure brief access to a target’s unlocked device.”

The disclosure also follows the discovery of a new search engine optimization (SEO) poisoning campaign that uses fake download pages impersonating popular applications like Signal, LINE, Gmail, and Google Translate to deliver backdoored executables aimed at Chinese-speaking users.

“The executables delivered through fake download pages follow a consistent execution pattern involving temporary file extraction, process injection, security modifications, and network communications,” Hunt.io said, adding the samples exhibit infostealer-like functionality associated with a malware strain referred to as MicroClip.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Teleperformance forms strategic partnership with Real-Time Speech Understanding provider Sanas as part of its growth strategy to accelerate AI development and reinvent customer experience

Teleperformance forms strategic partnership with Real-Time Speech Understanding provider Sanas as part of its growth strategy to accelerate AI development and reinvent customer experience

Recommended.

Who will Trump pick for Fed chair? Hear from all the candidates in their own words

Who will Trump pick for Fed chair? Hear from all the candidates in their own words

August 15, 2025
TELUS reports operational and financial results for second quarter 2025

TELUS reports operational and financial results for second quarter 2025

August 1, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio