Beware malicious QR codes when using WhatsApp and Signal

New spearfishing attacks against targeted organisations and individuals

A recent spate of instances involving the use of malicious QR codes is a timely reminder, once again, that mass-adoption consumer apps are often a favoured attack vector for criminals and state-sponsored actors… and so should NOT be relied upon for military, sensitive or commercial business communications.

The latest story to hit the headlines is the compromise of Signal accounts, including some used by military targets, by exploiting the device-linking feature within the app. Google Threat Intelligence Group (GTIG) has reported that use of the device-linking feature is being widely used by state-sponsored groups to attack Signal accounts. Social engineering is used to trick targets into scanning malicious QR codes that link their device to a device controlled by the attacker.  From there the scammer can synchronize with the victim’s device and see all their secure communications.

Signal QR code attack vector is evolving

This trick is being adapted by the attackers depending on the target. For a broader attack the malicious code is disguised as a legitimate app resource, such as a Signal group invite or device pairing instructions from the Signal website.  When individuals are targeted, phishing sites are set up that have been specifically designed to attract the victim’s attention.  In other examples, a legitimate group invite page is altered to redirect to a malicious domain that then pairs the victim’s device with a device controlled by the attacker.

GTIG has reported that this type of attack has successfully been perpetrated on devices used by military forces on the battlefield.

Particularly worrying is that this compromise is very difficult to spot and so can remain undetected for extended periods of time.

WhatsApp attacks proliferating too

Activity by the group known as Star Blizzard is another case in point, with an advisory notice issued from the national technical authorities of all of the ‘Five Eyes’ community (NCSC, CISA, FBI, NSA, CNMF, ACSC, CCCS, NZNCSC).

Star Blizzard creates email accounts and fake social media profiles impersonating known contacts of the target, using malicious, but authentic-looking domains.  They take time to build rapport with the victim and then send a link to the malicious site. What is new here is that the attackers are now inviting people (including US government officials) to join a WhatsApp group with a QR code. which includes malicious code that gives the attacker access to the victim’s account.  The perpetrator can see messages, correspondence, credentials, contacts, and can steal them. By joining the WhatsApp group the victim gives access to their data, so the attackers can exfiltrate it.

There has been a concerted effort in the mainstream media to highlight the dangers of ‘pig butchering’ – a gruesome name for the practice where a scammer builds a ‘rapport’ with the victim, often over many months, before asking for money. The victims are often so convinced that they part with significant amounts of money before the fraud is unearthed – leading to some heartbreaking cases.

In a similar manner, the ongoing, broad, and totally inappropriate use of WhatsApp for sensitive government and defence communications has predictably led to similar, targeted, social engineering attacks on such users, as well as high value zero-day hacks.  Even commercial solutions such as Teams are targeted in a similar manner.

Mass adoption apps increase risk of compromise for sensitive communications

These two examples are a clear demonstration of why mass adoption and consumer apps (such as WhatsApp and Signal) are simply not suitable for business use.  People are familiar with using them in their personal lives and are therefore much more likely to be tricked/scammed because they will not be on their guard in quite the same way – familiarity breeds contempt.

Mass adoption apps are difficult (if not impossible) for IT departments to manage as they are usually controlled by organisations that are more concerned with building a user base as large as possible, rather than protecting individuals’ security. Their use is so widespread that they make an obvious target for malicious actors looking to disrupt and/or steal valuable information.  There may also be questionable use of the app data by its creator.

Armour Secure Communications Platform – built for purpose

By keeping work conversations/communications within built-for-purpose business applications, such as Armour Mobile, sensitive communications, documents, files and contact lists, etc, remain controlled and protected within the Armour platform. Data sovereignty is maintained and information can’t be exported or shared outside of strictly controlled groups of Armour users.

The central management of the complete Armour Mobile user lifecycle provides robust security such that only authorised users can access the system, and their access and data can be instantly revoked when they leave, or if their device is lost or stolen. This is one of the biggest differentiators between a free-to-use consumer app and an enterprise level product such as Armour Mobile. Using a Secure by Design (and Secure by Default) communications and collaboration platform such as Armour fosters and enforces good security practices and supports user and organisational data privacy.

For more information about what you should be looking for in a Secure Communications Platform read our Buyer’s Guide: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/