Russian threat actors have been running phishing campaigns that take advantage of the “Linked Devices” feature in the privacy-focused Signal messaging app to gain unauthorized access to targeted accounts.

“The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate ‘linked devices’ feature that enables Signal to be used on multiple devices concurrently,” the Google Threat Intelligence Group (GTIG) said in a report.

Signal’s “linked devices” feature allows users to use messaging app across multiple devices simultaneously.

According to the report, APT groups associated with the Kremlin are deceiving users into scanning malicious QR codes hidden in phishing pages or disguised as group invite links. This allows them to secretly add their own device as a linked endpoint to the victim’s Signal account.

Once the connection is established, the attacker can see and mirror every message sent by the user in real-time. This allows the attacker to bypass Signal’s end-to-end encryption without needing to compromise the underlying cryptography.

“Notably, this device-linking concept of operations has proven to be a low-signature form of initial access due to the lack of centralized, technology-driven detections and defenses that can be used to monitor for account compromise via newly linked devices; when successful, there is a high risk that a compromise can go unnoticed for extended periods of time,” the group explains.

If you’re a Signal user and want to protect yourself from this type of attack, you should enable screen lock on all mobile devices using a strong, complex password that includes a mix of uppercase and lowercase letters, numbers, and symbols. You should make sure to install operating system updates as soon as they’re out and always use the latest version of Signal and other messaging apps.

Users in high-risk environments should also consider regularly auditing the ‘Linked devices’ section in Signal’s settings to check for any unauthorized devices connected to their accounts.