Incident response specialists at Mandiant are sounding alarm bells after catching multiple Russian professional hacking gangs abusing a nifty Signal Messenger feature to surreptitiously spy on encrypted phone conversations.

In a fresh report published Wednesday, Mandiant threat hunter Dan Black warns that several APT groups have perfected the abuse of Signal’s “linked devices” feature that enables the privacy-themed chat and voice messenger to be used on multiple devices concurrently.

By tricking users into scanning malicious QR codes embedded in phishing pages or disguised as group invite links, Mandiant says APT groups linked to the Kremlin are secretly adding their own device as a linked endpoint. 

Once this connection is established, every message sent by the user is duplicated to the attacker’s device in real time, effectively bypassing Signal’s heralded end-to-end encryption without having to break the underlying cryptography.

The company said Signal’s popularity among common targets of surveillance and espionage activity — military personnel, politicians, journalists and activists — has made the messaging application “a high-value target for adversaries seeking to intercept sensitive information that could fulfil a range of different intelligence requirements.”

“More broadly, this threat also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques,” the Mandiant researcher said.

In remote phishing operations, Mandiant has seen malicious resources frequently masked as legitimate app resources, such as Signal group invites, or as legitimate device pairing instructions from the Signal website. 

“In more tailored phishing operations, we have observed malicious device-linking QR codes embedded in phishing pages crafted to appear as specialized applications used by the ultimate targets of the operation,” the company said.

Beyond remote phishing and malware delivery operations, Mandiant said it also caught malicious QR codes being used in close-access operations. In one case, the notorious Sandworm threat actor has worked to enable Russian military forces to link Signal accounts on devices captured on the battlefield back to actor-controlled infrastructure for follow-on exploitation. 

“Notably, this device-linking concept of operations has proven to be a low-signature form of initial access due to the lack of centralized, technology-driven detections and defenses that can be used to monitor for account compromise via newly linked devices; when successful, there is a high risk that a compromise can go unnoticed for extended periods of time,” the company warned.

The government-backed Russian cyberspies were also seen altering legitimate ‘group invite‘ pages, replacing the expected redirection to a Signal group with a redirection to a malicious URL crafted to link an actor-controlled device to the victim’s Signal account. 

“In these operations, [the group] has hosted modified Signal group invitations on actor-controlled infrastructure designed to appear identical to a legitimate Signal group invite,” Mandiant explained. 

In each of the fake group invites, Mandiant reports that JavaScript code that typically redirects the user to join a Signal group was replaced by a malicious block containing the URI used by Signal to link a new device to Signal (ie. ‘sgnl://linkdevice?uuid=’), tricking victims into linking their Signal accounts to a device controlled by the attacker.

In yet another case, Mandiant found a different Russian hacking team actively targeting Signal accounts used by Ukrainian military personnel.  The company said it caught the group operating a tailored Signal phishing kit designed to mimic components of the Kropyva application used by the Armed Forces of Ukraine for artillery guidance.

This group also attempted to mask its device-linking functionality as an invite to a Signal group from a trusted contact, the report said. 

As part of its Signal targeting, the group was seen using a lightweight JavaScript payload to collect basic user information and geolocation data using the browser’s GeoLocation API. “In general, we expect to see secure messages and location data to frequently feature as joint targets in future operations of this nature, particularly in the context of targeted surveillance operations or support to conventional military operations,” Mandiant said.

The company is encouraging Signal users to enable screen lock on all mobile devices using a long, complex password with a mix of uppercase and lowercase letters, numbers, and symbols; and install operating system updates as soon as possible and always use the latest version of Signal and other messaging apps.

Users in high-risk environments should also consider auditing Signal’s linked devices regularly for unauthorized devices by navigating to the ‘Linked devices’ section in the application’s settings.  

Related: Russia Blocks Signal Messaging App, Tightens Control Over Information

Related: Signal Pours Cold Water on Zero-Day Exploit Rumors

Related: Surveillance ‘Existential’ Danger of Tech: Signal Boss

Related: Espionage Attacks Linked to Russia’s Sandworm, Renamed APT44