Why Status is Resilient Against Recent Signal Device Linking Attacks
Recent reports have highlighted that Russian state-aligned threat actors have been targeting Signal users through its linked device functionality. Attackers exploited Signal’s web-based QR code pairing system, using malicious QR codes to hijack accounts remotely.
According to Google’s Threat Intelligence Group (GTIG) report, two major attack vectors were identified:
- 1Modified Signal Group Invites (UNC5792) – Used to trick users into revealing authentication tokens.
- 2Custom-Developed Signal Phishing Kits (UNC4221) – Designed to steal Signal credentials via fake authentication interfaces.
These attack vectors, however, do not affect Status, thanks to its fundamentally different pairing mechanism. This article explains why Status’ design prevents such attacks and what security measures are in place.
Don’t have Status yet? Get Status now—your private messenger and crypto wallet in one place. Download here: https://status.app/
Unlike Signal, which allows users to pair new devices remotely over the internet, Status’ QR code pairing is strictly local. This means:
- Both devices must be on the same Wi-Fi network.
- There is no fallback that would allow an attacker to pair a device remotely.
- A malicious QR code cannot work unless the attacker is physically present and able to connect to the same network.
Why This Protects Our Users: By restricting device pairing to local networks, Status eliminates the primary attack surface exploited in Signal's linked device hijacking. An attacker cannot simply send a phishing link or malicious QR code over the internet to take control of a user’s account. Instead, they would need to be in physical proximity to the user’s devices, making such attacks significantly harder to execute. Additionally, since there is no cloud-based infrastructure facilitating pairing, there is no risk of attackers exploiting centralised systems to inject rogue device links.
Pairing in Status is not automatic or silent:
- Pairing mode must be explicitly enabled on both devices before scanning the QR code.
- If a third device is already paired, it receives a notification about the pairing attempt.
- This process requires physical user interaction, preventing the type of phishing that targeted Signal users.
Why This Protects Our Users: Unlike phishing attacks that rely on tricking users into scanning a QR code unknowingly, Status requires active user participation on both devices. This prevents attackers from tricking users into unwittingly linking their devices to an unauthorised party. Additionally, the notification system ensures that any unauthorised pairing attempts are immediately visible to the user, allowing them to intervene and prevent malicious linking.
Status' pairing QR codes:
- Expire after 5 minutes, making them useless for replay attacks.
- Cannot be intercepted and reused by an attacker.
- Contain all necessary transport and pairing details, removing reliance on external authentication methods.
Why This Protects Our Users: In many phishing attacks, malicious actors capture QR codes and reuse them later. Since Status QR codes are only valid for a short duration and cannot be reused, an attacker would need to act within the narrow 5-minute window while being on the same local network, making exploitation highly impractical. Furthermore, because Status QR codes are designed to work only in actively enabled pairing sessions, they are not vulnerable to unauthorised scanning by background processes or malware.
Status provides users with visibility into their paired devices; they are always visible in the app settings, and mobile users can manually remove any unauthorised device.
Why This Protects Users: Users on mobile can actively manage their linked devices. However, because pairing is strictly local and requires explicit user interaction, the risk of unauthorised pairings remains low. Users are encouraged to review their linked devices on mobile and ensure that all pairings are expected.
Signal was compromised while Status stays resilient. Switch to Status now: https://status.app/
While Status’ pairing mechanism is highly secure against remote attacks, maintaining control over one’s own device is a core aspect of personal security. In most messaging apps, if an attacker gains temporary access to an unlocked phone, the attacker could attempt to pair a new device. However, even here Status has key protections in place to keep our users safe:
- Mandatory authentication to open the app ensures that attackers cannot link devices unless they already have full access to the unlocked phone.
- Paired devices are always visible in settings, so users can review and remove any unauthorised connections.
With many secure messaging apps, including Signal, an attacker with access to an unlocked device could compromise a user's security. Status' security model is different, prioritising local control, visibility, and authentication, making it much harder for an attacker to gain access, let alone maintain persistent access unnoticed. As always, users should still ensure their phones are locked when not in use and be aware of their physical security.
At Status, we prioritise security and continuously seek to improve our defences. To encourage security researchers and ethical hackers to identify vulnerabilities, we run a bug bounty programme in collaboration with Hackenproof. This programme covers both Status and Waku, offering rewards for valid security findings.
If you are interested in testing the security of Status and contributing to a safer ecosystem, you can learn more and participate here: Hackenproof IFT Bug Bounty Programme.
Status' pairing system is fundamentally more secure than Signal’s against the recent attack vectors:
- Local-only pairing prevents remote hijacking.
- Explicit user interaction prevents phishing-style attacks.
- QR codes expire quickly and cannot be intercepted.
- Users have visibility into their linked devices, with mobile allowing for manual unpairing.
These architectural choices make it extremely difficult for attackers to execute the type of phishing attack that compromised Signal users. While physical device security remains a factor, Status’ mandatory authentication further reduces risks.
As always, users should remain vigilant, ensure their devices are secured, and regularly review their linked devices list to maintain maximum security.
Trustless security beats centralisation. Try Status today! Secure messaging & crypto in one app: https://status.app/
