Russian hackers target Signal accounts in growing espionage effort

Google’s Threat Intelligence Group (GTIG) has identified a rise in Russian state-backed hacking attempts aimed at compromising Signal messenger accounts.

These attacks primarily target individuals of interest to Russia's intelligence services, including military personnel, government officials, journalists, and activists.

While these efforts are currently tied to Russia’s war in Ukraine, experts warn that similar tactics may soon be adopted by other threat actors worldwide. The broader concern extends beyond Signal, as Russian-aligned groups have also been observed targeting messaging platforms like WhatsApp and Telegram using comparable methods, according to the group's latest report published on Feb. 19.

Experts warn that these attacks signal a growing global trend in cyber espionage, where governments and hacking groups are increasingly seeking to infiltrate secure messaging apps.

The primary technique used in these attacks involves exploiting Signal’s "linked devices" feature, which allows users to connect additional devices to their accounts. Hackers have crafted malicious QR codes that, when scanned, link a victim’s Signal account to a hacker-controlled device.

This enables them to intercept messages in real-time without needing direct access to the victim’s phone. Phishing campaigns distributing these malicious QR codes have been disguised as legitimate Signal security alerts, group invitations, or even official device-pairing instructions from the Signal website. In some cases, hackers have embedded these QR codes within fake applications designed to mimic software used by the Ukrainian military.

Beyond remote phishing, Russian cyber operatives have also deployed this tactic in battlefield scenarios.

The group APT44—also known as Sandworm, a unit linked to Russia’s military intelligence agency (GRU)—has reportedly used the method on captured devices. Soldiers’ Signal accounts are being linked to Russian-controlled infrastructure, allowing continued surveillance of sensitive conversations. This approach is difficult to detect because Signal does not have a centralized system for flagging new linked devices, meaning a successful breach could remain unnoticed for an extended period.

Signal, in collaboration with Google, has since strengthened its security measures to counter these phishing attempts. The latest updates for both Android and iOS include enhanced protections designed to prevent unauthorized device linking. Users are urged to update their apps to the newest version and remain cautious of suspicious QR codes or unexpected device-linking requests.