Hackers Target Signal Users With Backup Theft Campaign

A sophisticated campaign is targeting Signal messenger users by stealing their encrypted backup files and attempting to crack the passphrases offline. Attackers are using social engineering, malware distribution, and cloud storage compromise to access Signal backups stored on victims’ devices or cloud accounts. Once obtained, these backups can be subjected to brute-force attacks, potentially exposing years of private communications. Users must implement strong backup passphrases, enable additional security measures, and remain vigilant against phishing attempts targeting their encrypted messaging data.

Introduction

Signal has long been considered the gold standard for secure messaging, trusted by journalists, activists, and privacy-conscious users worldwide. However, a new attack vector has emerged that bypasses Signal’s robust end-to-end encryption by targeting the weakest link in the security chain: user-created backup files.

Recent reports indicate that threat actors are actively conducting campaigns specifically designed to steal Signal backup files from users’ devices and cloud storage accounts. Rather than attempting to break Signal’s encryption in real-time, attackers are exfiltrating encrypted backup archives and performing offline brute-force attacks against the user-selected passphrases protecting them.

This campaign represents a significant shift in tactics, demonstrating that even the most secure communication platforms can be compromised when attackers focus on implementation vulnerabilities and user behavior rather than cryptographic weaknesses.

Background & Context

Signal’s backup feature allows users to create encrypted archives of their message history, which can be restored when switching devices or recovering from data loss. These backups are protected by a 30-digit numeric passphrase that Signal generates, or alternatively, by a user-created passphrase.

The security of these backups relies entirely on the strength of the passphrase. While Signal’s default 30-digit numeric passphrase provides substantial security, many users opt for custom passphrases for convenience—often choosing weak or memorable phrases that significantly reduce the backup’s resistance to brute-force attacks.

Backup files are typically stored locally on Android devices or can be manually exported and stored in cloud services like Google Drive, Dropbox, or iCloud. This storage approach creates multiple potential attack surfaces that threat actors are now actively exploiting.

Previous attacks against encrypted messaging platforms have primarily focused on endpoint compromise, man-in-the-middle attacks, or exploiting metadata. This backup theft campaign represents a more patient, methodical approach that leverages the mathematical certainty that weak passphrases will eventually yield to computational power.

Technical Breakdown

The attack campaign operates through multiple infection and exfiltration vectors:

Initial Access Methods

Attackers are gaining access to Signal backups through several techniques:

Malware Deployment: Victims are infected with information-stealing malware that specifically searches for Signal backup files. These trojans scan common storage locations:

/sdcard/Signal/Backups/
~/Library/Application Support/Signal/backups/
%APPDATA%\Signal\backups\

Cloud Account Compromise: Attackers breach victims’ cloud storage accounts through credential stuffing, phishing, or session hijacking, then search for Signal backup files that users have manually uploaded.

Physical Access Attacks: In targeted operations, threat actors with brief physical access to unlocked devices copy backup files directly from local storage.

Exfiltration Process

Once located, backup files (typically named with patterns like signal-YYYY-MM-DD-HH-MM-SS.backup) are silently exfiltrated to attacker-controlled servers. These files can range from hundreds of megabytes to several gigabytes, depending on message history length.

Offline Cracking Operations

After exfiltration, attackers perform offline brute-force attacks against the encrypted backups. The process involves:

• Passphrase enumeration using wordlists, common patterns, and keyboard walks
• Computational attacks leveraging GPU clusters to test millions of passphrases per second
• Pattern-based attacks exploiting predictable human passphrase selection behavior

For weak passphrases (dictionary words, common phrases, or short alphanumeric strings), decryption can occur within hours to days. Even moderately complex passphrases may fall within weeks given sufficient computational resources.

Post-Compromise Activities

Successfully decrypted backups expose complete message histories, including:

• All text messages and group conversations
• Shared media files and documents
• Contact information and group memberships
• Message timestamps and metadata

Impact & Risk Assessment

The consequences of this campaign are severe and wide-reaching:

Individual Privacy Violations

Compromised backups expose years of private communications, potentially revealing sensitive personal information, confidential business discussions, or information about at-risk individuals like journalists’ sources or activists’ organizing efforts.

Organizational Security Risks

Organizations relying on Signal for secure communications face potential exposure of proprietary information, strategic plans, and internal discussions that could benefit competitors or adversaries.

Threat Intelligence Value

For nation-state actors and sophisticated threat groups, stolen Signal backups provide invaluable intelligence about target networks, relationships, and operational security practices.

High-Risk User Exposure

Journalists, human rights defenders, political dissidents, and others facing targeted surveillance face the most severe risks. Exposed communications could lead to physical danger, arrest, or persecution in hostile jurisdictions.

Cascading Compromise Potential

Backup contents often include credentials, recovery codes, or information about other secure systems, potentially enabling further compromise beyond Signal itself.

The attack surface is substantial—Signal has over 100 million users worldwide, many of whom have created backups with inadequate passphrase security.

Vendor Response

Signal Foundation has acknowledged the theoretical risks associated with backup security while emphasizing that the platform’s encryption implementation remains cryptographically sound.

Signal’s official guidance stresses that the 30-digit numeric passphrase automatically generated by the application provides adequate security against brute-force attacks. The foundation has consistently warned users that custom passphrases must be exceptionally strong to provide equivalent protection.

In recent updates, Signal has implemented several backup security improvements:

• Enhanced warnings when users select custom passphrases
• Increased minimum passphrase length requirements
• Better user education about backup security within the application
• Introduction of encrypted backup storage options with additional authentication layers

Signal has not indicated plans to remove the backup feature, as it remains essential for legitimate user needs, particularly device migration and data recovery scenarios.

The platform continues to recommend that users who don’t require backups should disable the feature entirely to eliminate this attack vector.

Mitigations & Workarounds

Users can implement several defensive measures to protect against backup theft:

Disable Backups If Not Required

The most effective protection is eliminating the attack surface:

Android:

Settings > Chats > Chat backups > Turn off

Desktop:

Preferences > Chats > Turn off message backup

Use Strong Passphrases

If backups are necessary, use Signal’s generated 30-digit passphrase rather than creating a custom one. If custom passphrases are required:

• Minimum 20 characters
• Mix uppercase, lowercase, numbers, and symbols
• Avoid dictionary words or common phrases
• Use a password manager to generate and store the passphrase

Secure Local Storage

Implement device-level security measures:

• Enable full-disk encryption
• Use strong device authentication
• Regularly update operating systems and security patches
• Install reputable endpoint protection software

Protect Cloud Storage Accounts

For users storing backups in cloud services:

• Enable multi-factor authentication
• Use unique, strong passwords
• Regularly audit authorized applications and access logs
• Consider zero-knowledge encryption solutions

Regular Backup Rotation

Delete old backup files and create fresh backups periodically with updated passphrases to limit exposure windows.

Detection & Monitoring

Identifying backup theft attempts requires vigilance across multiple layers:

Device-Level Indicators

• Unusual file access patterns to Signal directories
• Unexpected network traffic from Signal-related processes
• Presence of unknown applications with storage permissions
• Battery drain or performance degradation suggesting background activity

Cloud Storage Monitoring

Configure alerts for:

- File downloads from unfamiliar locations
Multiple authentication attempts

New device authorizations

Bulk file access patterns

Network Monitoring

Organizations should implement:

• Data loss prevention (DLP) rules targeting large encrypted file transfers
• Anomalous upload traffic to unfamiliar destinations
• Endpoint detection and response (EDR) solutions with file exfiltration detection

Account Security Audits

Regularly review:

• Connected devices and active sessions
• Recent login locations and times
• Third-party application permissions
• Cloud storage access logs

Best Practices

Implement these security practices to minimize backup theft risks:

For Individual Users

• Minimize backup retention: Only create backups when necessary, and delete them after device migration
• Compartmentalize sensitive communications: Use ephemeral message features for highly sensitive discussions
• Verify device security: Ensure your device hasn’t been compromised before creating backups
• Store backups securely: If using cloud storage, employ additional encryption layers
• Practice operational security: Be aware of phishing attempts specifically targeting Signal users

For Organizations

• Develop backup policies: Establish clear guidelines for when and how employees should create Signal backups
• Provide security training: Educate staff about backup risks and proper passphrase selection
• Deploy endpoint protection: Implement solutions capable of detecting information-stealing malware
• Monitor for indicators: Establish detection capabilities for backup exfiltration attempts
• Consider alternatives: Evaluate whether Signal’s desktop or iOS versions (which have different backup mechanisms) better fit your security model

For High-Risk Users

• Avoid backups entirely: The security risk typically outweighs convenience for targeted individuals
• Use dedicated devices: Maintain separate, secured devices for sensitive communications
• Implement physical security: Prevent unauthorized physical access to devices containing backup files
• Regularly assess threat model: Continuously evaluate whether your security measures match your risk profile
• Plan for compromise: Assume communications may eventually be exposed and adjust content accordingly

Key Takeaways

• Signal backups are only as secure as the passphrases protecting them, creating a vulnerability that attackers are actively exploiting
• Threat actors are using malware, cloud compromise, and social engineering to steal encrypted backup files for offline cracking
• The attack bypasses Signal’s robust end-to-end encryption by targeting the backup implementation rather than the core protocol
• Users who don’t need backups should disable the feature entirely to eliminate this attack vector
• Those requiring backups must use exceptionally strong passphrases—preferably Signal’s auto-generated 30-digit option
• Organizations and high-risk users face the most significant threats and should implement comprehensive backup security policies
• This campaign demonstrates that secure systems can be compromised through user-controlled security parameters and implementation choices
• Vigilance, strong authentication, and regular security audits across devices and cloud services are essential defensive measures

References

• Signal Support: Backup and Restore Messages – https://support.signal.org/hc/en-us/articles/360007059752
• Signal Technical Documentation – https://signal.org/docs/
• NIST Digital Identity Guidelines – https://pages.nist.gov/800-63-3/
• OWASP Password Storage Cheat Sheet – https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
• EFF Surveillance Self-Defense Guide – https://ssd.eff.org/

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/