Signal, the renowned encrypted messaging app, has firmly pushed back against recent reports of an alleged zero-day vulnerability in its software. The company conducted a thorough investigation and stated that it found no concrete evidence to substantiate the claim. In a series of messages posted on social media platform X (formerly Twitter), Signal emphasized that there is no indication that this vulnerability is real, and no additional information has been provided through official reporting channels.
Signal also mentioned that it had contacted the U.S. government for further insights and received no information to validate the alleged zero-day vulnerability. To ensure the app’s security, Signal has encouraged individuals with legitimate information to report it to security@signal[.]org.
This development comes in the wake of reports circulating over the weekend regarding a zero-day vulnerability in Signal, which, if exploited, could grant complete access to a targeted mobile device. As a precautionary measure, users have been advised to disable link previews in the app, a feature that can be turned off by navigating to Signal Settings > Chats > Generate link previews.
The revelation coincides with a broader concern in the cybersecurity community as it was revealed that zero-day vulnerabilities for messaging apps like WhatsApp are being traded on the black market for significant sums, ranging from $1.7 million to $8 million. These zero-day flaws in popular messaging apps, including iMessage, Signal, and WhatsApp, are highly sought after by nation-state threat actors, as they can serve as entry points for remote code execution on mobile devices, enabling discreet surveillance and espionage.
A recent report from Amnesty International uncovered extensive spyware attacks targeted at journalists, politicians, and academics across the European Union, the United States, and Asia. The ultimate goal of these attacks was to deploy the notorious Predator spyware, developed by a consortium known as the Intellexa alliance. Notably, social media platforms, including X (formerly Twitter) and Facebook, were used to publicly target numerous accounts belonging to individuals and institutions during this period.
The attacks were attributed to an anonymous account on X, a now-deleted handle named @Joseph_Gordon16. This account attempted to lure targets into clicking links that would install Predator malware. The Citizen Lab is closely monitoring this threat actor under the name REPLYSPY.
The Predator spyware infections are managed through a web-based system termed the ‘Cyber Operation Platform’ by Intellexa. This platform allows spyware operators to initiate attack attempts against target phones, potentially gaining access to sensitive information like photos, location data, chat messages, and microphone recordings.
Furthermore, Intellexa offers other products, including Mars, a network injection system deployed at mobile operator ISPs, and Jupiter, an add-on for Mars. Jupiter enables the injection into encrypted HTTPS traffic, specifically when targeting domestic websites hosted by local ISPs. Another report from Haaretz highlights the concerning trend of commercial surveillance vendors seeking to exploit the digital advertising ecosystem to target and infect mobile devices globally through ad networks.
In an environment characterized by growing security concerns, the ongoing development of such vulnerabilities and exploits raises important questions about the safety and privacy of digital communications.