Google's Threat Intelligence Group has published a study that reveals new methods used by the APT44 hacking group (also known as Sandworm) and other russian cybercriminals to spy on the Signal accounts of Ukrainian military and government officials.
The study describes several tactics, including a new method that uses the "Connected Devices" feature and a malicious QR code.
Attacks are often disguised as group invitations or fake security messages. Some even look like military applications.
Signal hacking example
When a malicious QR code is scanned, the user's account is automatically linked to a device controlled by the attackers.
This makes it possible to read protected conversations in real time without gaining full access to the victim's device. Such attacks are difficult to detect, allowing for long-term monitoring.
Following the discovery of the threat, the Signal team, together with Google, released an update for Android and iOS to protect users and advise everyone to update the app to the latest version.
