The Google Threat Intelligence Group (GTIG) has uncovered a new Russian scheme to access messages in the encrypted Signal app, a tactic used to extract information from Ukrainian soldiers' communications.

Source: Mezha Media, a technology and IT news platform within Ukrainska Pravda’s holding company, citing the GTIG in a statement

Details: The GTIG reported that several hacker groups with close ties to the Russian government have been conducting phishing attacks. Identified as UNC5792 and UNC4221, these groups exploited the messaging app's QR code feature designed for joining new chats. They sent phishing messages with QR code invitations that contained hidden JavaScript commands, enabling them to link the target's smartphone to a new device and gain access to all messages.

These messages resembled regular chat invitations, appearing to come from military groups on Signal. However, once users scanned the QR code, their device was instantly linked to the attackers' device, granting access to their message history.

Google and Signal teams stated that the scheme did not compromise the messenger’s encryption. Instead, it relied on two functional QR codes: one for inviting users to a new group and another for linking the account to the attackers' device via the Connected Devices feature. When scanned, the QR codes seamlessly swapped, making the switch undetectable to the user.

Last week, Signal released an update for its iOS and Android apps to prevent such attacks. Users will now receive a warning if their account is being paired with a new device and will be required to confirm before granting access to their messages.

Google notes that similar tactics have been used against other messaging apps, such as Telegram and WhatsApp. Still, Signal was the primary target due to its widespread use among the Ukrainian military. The company also emphasised that this strategy was not limited to Ukrainians but was also deployed against activists, journalists and other Signal users worldwide.

