1. Home
  2. Techniques
  3. Mobile
  4. Linked Devices

Linked Devices

Adversaries may abuse the "linked devices" feature on messaging applications, such as Signal and WhatsApp, to register the user’s account to an adversary-controlled device. By abusing the "linked devices" feature, adversaries may achieve and maintain persistence through the user’s account, may collect information, such as the user’s messages and contacts list, and may send future messages from the linked device.

Signal is a messaging application that uses the open-source Signal Protocol to encrypt messages and calls; similarly, WhatsApp is a messaging application that has end-to-end encryption and other security measures to protect messages and calls. Both applications have a "linked devices" feature that allows users to access their Signal and/or WhatsApp accounts from different devices, such as a Windows or Mac desktop, an iPad or an Android tablet.[1][2]

Adversaries may use Phishing techniques to trick the user into scanning a quick-response (QR) code, which is used to link the user’s Signal and/or WhatsApp account to an adversary-controlled device. For example, adversaries may masquerade QR codes as group invites, security alerts or as legitimate instructions for pairing linked devices.
Upon scanning the QR code in Signal, users may click on the "Transfer Message History" option to sync the linked devices, which may allow adversaries to collect more information about the user. Upon scanning the QR code in WhatsApp, the user’s device will automatically send an end-to-end encrypted copy of recent message history to the adversary-controlled device.

ID: T1676
Sub-techniques:  No sub-techniques
Tactics: Collection, Persistence
Platforms: Android, iOS
Contributors: Giorgi Gurgenidze, GITAC
Version: 1.0
Created: 19 May 2025
Last Modified: 19 May 2025
Version Permalink

Procedure Examples

ID Name Description
G0034 Sandworm Team

Sandworm Team has used the linked devices feature to connect Signal accounts on devices captured on the battlefield to adversary-controlled infrastructure for follow-on exploitation.[3]
G1033 Star Blizzard

Star Blizzard has used the linked devices feature to connect WhatsApp accounts to adversary-controlled infrastructure and/or the WhatsApp Web portal for message exfiltration.[4]

Mitigations

ID Mitigation Description
M1011 User Guidance

For Android devices, users should be advised to enable Google Play Protect, which checks the device itself and the applications for malicious behavior. For iOS devices, users who are concerned about being targeted should consider enabling Lockdown Mode, which provides extreme protection of the device as well as data stored and transmitted.
In general, users should be advised against scanning QR codes and/or clicking on suspicious links or text messages, which may masquerade as device-linking instructions by Signal or WhatsApp.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0716 Detection of Linked Devices AN1845

The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device.

AN1846

The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device.

References

  1. WhatsApp. (n.d.). How to link a device. Retrieved May 9, 2025.
  2. Signal. (n.d.). Linked Devices. Retrieved May 9, 2025.
  1. Black, D. (2025, February 19). Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger. Retrieved April 30, 2025.
  2. Microsoft Threat Intelligence. (2025, January 16). New Star Blizzard spear-phishing campaign targets WhatsApp accounts. Retrieved May 2, 2025.