In other cases, hackers have tricked Ukrainians into scanning malicious QR codes that, once scanned, link a victim’s account to the hacker’s interface, meaning future messages will be delivered both to the victim and the hackers in real time.
Russia-linked groups including UNC4221 and UNC5792 have been sending altered Signal “group invite” links and codes to Ukrainian military personnel, Google said.
Signal is considered an industry benchmark for secure, end-to-end encrypted messaging, as it collects minimal data and its end-to-end encryption protocol is open-source, meaning cybersecurity experts can continuously check it for glitches. The European Commission and European Parliament are some of the government institutions that have advised staff to use the application over competing messaging apps.
Google’s research did not suggest the app’s encryption protocol itself was vulnerable, but rather that the app’s “linked devices” functionality was being abused as a workaround.
In response to the threat, Signal senior technologist Josh Lund said the app “made several changes to help raise awareness and protect users from the types of social engineering attacks that the report describes,” including by overhauling the user interface, introducing additional authentication steps and implementing notifications for new linked devices.
Google is now warning the workarounds to snoop on Signal data could pop up beyond Ukraine too.