If you use Signal and your threat model includes Russian state actors, make sure your version of Signal is up to date in order to harden your account against these attacks:
This blog post details “Phishing Campaigns Abusing Signal’s ‘Linked Devices’ Feature” and other efforts by threat actors.
I manually updated the Signal app on my Android phone but when I opened the Windows desktop app, it had already been updated to 7.43.0, released today on February 19, 2025.
Checking recent commits from the latest Android/desktop GitHub releases, I couldn’t tell if any were related to increase security around the Linked Devices feature.
Near the end of the article there’s also a table (Table 2) summarizing techniques and tactics for additional things like Signal Android database theft and Signal Desktop database theft, but I didn’t see any commits that seemed related for those either.
What? Not only is this victim blaming [1]; ignoring the complexities of both humans and technology; and recklessly overconfident in your own abilities to resist (spear)phishing; the definition of phishing involves falsely claiming to be a legitimate organization/similar or falsely claiming to have legitimate reasons for requested information/access. If the legitimate entity was compromised it is not phishing…
As linked in the blog post, device linking must now go through the Linked Devices view.
Using signal desktop is not a necessity for this phishing campaign
In remote phishing operations observed to date, malicious QR codes have frequently been masked as legitimate Signal resources, such as group invites, security alerts, or as legitimate device pairing instructions from the Signal website.
I don’t mean to equate cybercrime to sex crimes (which victim blaming often refers to) and I am simply using the same phrase for simplicity. ↩︎
Please don’t reply with messages attributing knowledge to a inhumane (genderless, and likely privacy-invasive?) AI chatbot. Including the output of a generative tool in this context seems unnecessary.
It does seems to be a QR code phishing / Swapping. Just like This one
Figure 1: Example modified Signal group invite hosted on UNC5792-controlled domain “signal-groups[.]tech”
Of course the device linking mechanism in Signal has been long criticized, which is a bit frustrating, but with this kind of attack, users’ awareness is much more important as it is a clear indication of poor OPSEC.
“Lucky” enough, my default “browser” is URLChecker, and I always check and strip links before opening.
Is there a way to make Firefox open links in URLChecker? I also have URLChecker set as a “browser”, but when I click on links in Firefox, it doesn’t open the app, instead it opens them directly.
Within browser I usually simply tap and hold the link to see the first part of the link before opening, instead of using URLCheck to perform full check and strip, as UBO does some of the things already. (I know I am lazy on this part)
If you really want to do what you say, you can
Tap and hold on the link,
select “Share Link”,
Pick “URLCheck”
Done.
To make your life a little bit more easier, you can enable “automation” feature in URLCheck, so you can automate Unshortener, URL Scanner, URL Cleaners, etc. which I do.