The Google Threat Intelligence Group (GTIG) has reported a new scheme used by Russians to gain access to messages in the encrypted Signal messenger. This tactic was used to obtain information from the messages of the Ukrainian military.
Google's team reports that several hacker groups with close ties to the Russian government have been carrying out phishing attacks. These groups, identified as UNC5792 and UNC4221, used the messenger feature to scan QR codes to join new groups and chats. They sent phishing messages inviting them to chat rooms via QR codes that contained hidden javascript commands that allowed them to connect the victim's smartphone to a new device and access all of their messages.
These messages looked like regular chat invitations that seemed to belong to military groups on Signal. However, when the victims scanned the QR code, their device immediately connected to the attackers' device, giving them access to the message history.
The Google and Signal teams claim that this scheme did not break the encryption of the messenger. Instead, it used two functional QR codes: one to invite to a new group, and the other to connect the account to the attackers' device via the "Connected Devices" feature. During scanning, these QR codes replaced each other unnoticed by the user.
Last week, Signal has already released an update for its iOS and Android apps to prevent such cases. From now on, users will be warned when their account is attempted to be paired with a new device and asked to further confirm that they want to share messages.
Google notes that similar tactics have been applied to other messengers, such as Telegram and WhatsApp, but the main target was Signal because of its popularity among the Ukrainian military. At the same time, the company's representatives emphasize that this strategy was not limited to Ukrainians, but was also used against activists, journalists, and other Signal users around the world.