Signal Debunks Zero-Day Vulnerability Reports, Finds No Evidence
16.10.23  Vulnerebility  The Hacker News

Encrypted messaging app Signal has pushed back against "viral reports" of an alleged zero-day flaw in its software, stating it found no evidence to support the claim.

"After responsible investigation *we have no evidence that suggests this vulnerability is real* nor has any additional info been shared via our official reporting channels," it said in a series of messages posted in X (formerly Twitter).

Signal said it also checked with the U.S. government and that it found no information to suggest "this is a valid claim." It's also urging those with legitimate information to send reports to security@signal[.]org.

The development comes as reports circulated over the weekend about a zero-day exploit in Signal that could be exploited to gain complete access to a targeted mobile device.

As a security precaution, it's been advised to turn off link previews in the app. The feature can be disabled by going to Signal Settings > Chats > Generate link previews.

Cybersecurity
The disclosure also arrives as TechCrunch revealed that zero-days for infiltrating messaging apps like WhatsApp are being sold for anywhere between $1.7 and $8 million.

Zero-day flaws in iMessage, Signal, and WhatsApp are lucrative for nation-state threat actors, as they can be used as entry points to achieve remote code execution on mobile devices and stealthily surveil targets of interest by means of one-click of zero-click exploit chains.

A recent report from Amnesty International found that spyware attacks have been attempted against journalists, politicians, and academics in the European Union, the U.S., and Asia with an ultimate aim to deploy Predator, which is developed by a consortium known as the Intellexa alliance.

"Between February and June 2023, social media platforms X (formerly Twitter) and Facebook were used to publicly target at least 50 accounts belonging to 27 individuals and 23 institutions," Amnesty International said, linking it to a customer with connections to Vietnam.

Central to the spread of infections included an anonymous account on X, a now-deleted handle named @Joseph_Gordon16, that attempted to lure targets into clicking links that would install Predator malware. The Citizen Lab is tracking the threat actor under the name REPLYSPY.

Cybersecurity
"Predator spyware infections are managed via a web-based system which Intellexa terms the 'Cyber Operation Platform,'" the international non-governmental organization said in a technical deep dive of the Predator framework.

"Spyware operators can also use this interface to initiate attack attempts against a target phone, and if successful, to retrieve and access sensitive information including photos, location data, chat messages, and microphone recordings from the infected device."

Some of the other products offered by Intellexa comprise Mars, a network injection system installed at mobile operator ISPs that silently redirects any unencrypted HTTP request from a smartphone to a Predator infection server, and Jupiter, an add-on for the Mars system that enables injection into encrypted HTTPS traffic, but only works with domestic websites hosted by a local ISP.

A recent report from Haaretz also detailed how commercial surveillance vendors are looking to weaponize the digital advertising ecosystem to target and infect mobile devices globally using ad networks.