T1676: Linked Devices
Adversaries may abuse the “linked devices” feature on messaging applications, such as Signal and WhatsApp, to register the user’s account to an adversary-controlled device. By abusing the “linked devices” feature, adversaries may achieve and maintain persistence through the user’s account, may collect information, such as the user’s messages and contacts list, and may send future messages from the linked device.
Signal is a messaging application that uses the open-source Signal Protocol to encrypt messages and calls; similarly, WhatsApp is a messaging application that has end-to-end encryption and other security measures to protect messages and calls. Both applications have a “linked devices” feature that allows users to access their Signal and/or WhatsApp accounts from different devices, such as a Windows or Mac desktop, an iPad or an Android tablet.[1][2]
Adversaries may use Phishing techniques to trick the user into scanning a quick-response (QR) code, which is used to link the user’s Signal and/or WhatsApp account to an adversary-controlled device. For example, adversaries may masquerade QR codes as group invites, security alerts or as legitimate instructions for pairing linked devices. Upon scanning the QR code in Signal, users may click on the “Transfer Message History” option to sync the linked devices, which may allow adversaries to collect more information about the user. Upon scanning the QR code in WhatsApp, the user’s device will automatically send an end-to-end encrypted copy of recent message history to the adversary-controlled device.
Analyst context for executives and security teams
Linked Devices is a mobile ATT&CK technique covering abuse of Signal or WhatsApp device-linking features to attach a user’s account to an adversary-controlled device. The business issue is not malware on the phone; it is unauthorized account access through a legitimate messaging feature, which can expose recent messages, contacts, and enable future messages from the linked device. This matters for executives and security leaders because sensitive communications may be compromised even when endpoint tooling shows no traditional infection.
Executive priority
Prioritize this as an identity, user-awareness, and incident-response readiness issue for Android and iOS users who rely on Signal or WhatsApp for sensitive business communications. Leaders should ask whether high-risk users know how linked-device prompts and QR-code pairing work, whether incident responders have a playbook for reviewing and removing unauthorized linked devices, and whether compliance or investigations can preserve enough evidence when application-level telemetry is limited. ATT&CK records relationships to Sandworm Team and Star Blizzard, so threat intelligence teams should treat this as relevant to targeted phishing risk without assuming current exposure in the local environment.
Technical view
SOC and IR teams should validate how they would identify unauthorized linked devices for Signal and WhatsApp on Android and iOS. The official ATT&CK object provides no detection text, but it describes phishing-driven QR-code pairing, Signal message-history transfer behavior, WhatsApp automatic transfer of recent message history, contact/message collection, and future message sending from the linked device. Detection engineering should therefore focus on account-state review, user-facing linked-device notifications, suspicious QR-code lures, and post-report triage rather than relying only on mobile malware indicators. The related DET0716 detection strategy exists, but its detailed logic is not included in the supplied fields.
Likely telemetry
- Signal and WhatsApp linked-device/session lists visible to the user or responder
- Application notifications or prompts related to linking, pairing, or message-history transfer where available
- User reports of unexpected linked-device alerts, QR-code prompts, or messages sent from their account
- Phishing artifacts involving QR codes masquerading as group invites, security alerts, or pairing instructions
- Mobile device context for Android and iOS, including screenshots, app state, and timeline evidence collected during IR
Detection direction
- Validate that SOC and help desk workflows recognize unauthorized Signal or WhatsApp linked devices as a potential account-compromise condition, not merely a user-support issue.
- Tune phishing analysis to flag QR-code lures that claim to be group invites, security alerts, or linked-device setup instructions.
- For high-risk users, establish a process to periodically review linked devices and preserve screenshots or other account-state evidence during investigations.
- Account for blind spots: ATT&CK provides no official detection text, and consumer messaging applications may not expose centralized enterprise logs.
- Reduce false positives by distinguishing legitimate user-approved desktop or tablet linking from unexpected devices, unexpected timing, or linking after a suspicious QR-code interaction.
Mitigation priorities
- Use M1011 User Guidance as the primary ATT&CK-supported mitigation: train users not to scan unexpected QR codes for messaging applications and to verify any pairing request through a trusted channel.
- Provide role-specific guidance for executives, legal, government-facing teams, incident responders, and other users who handle sensitive communications.
- Document how users and responders can review and remove linked devices in Signal and WhatsApp using the official application guidance referenced by ATT&CK.
- Include linked-device review in mobile incident-response checklists after suspected phishing or suspicious messaging-account behavior.
- Avoid relying solely on endpoint malware controls; this technique abuses legitimate application functionality.
Analyst notes and limits
This object is new in ATT&CK version 19.1 and applies to the mobile domain on Android and iOS. The supplied relationships show detection strategy DET0716, mitigation M1011 User Guidance, and use by Sandworm Team and Star Blizzard. The practical defensive value is in validating user education, phishing triage, and responder procedures for account-level linked-device abuse.
The supplied ATT&CK fields do not specify tactics and do not include official detection logic. Telemetry availability will depend on the messaging application, user device access, organizational policy, and whether evidence is captured before a linked device is removed. This take does not assert active exploitation, local exposure, or guaranteed detection coverage.
Linked Devices
Adversaries may abuse the “linked devices” feature on messaging applications, such as Signal and WhatsApp, to register the user’s account to an adversary-controlled device. By abusing the “linked devices” feature, adversaries may achieve and maintain persistence through the user’s account, may collect information, such as the user’s messages and contacts list, and may send future messages from the linked device.
Signal is a messaging application that uses the open-source Signal Protocol to encrypt messages and calls; similarly, WhatsApp is a messaging application that has end-to-end encryption and other security measures to protect messages and calls. Both applications have a “linked devices” feature that allows users to access their Signal and/or WhatsApp accounts from different devices, such as a Windows or Mac desktop, an iPad or an Android tablet.[1][2]
Adversaries may use Phishing techniques to trick the user into scanning a quick-response (QR) code, which is used to link the user’s Signal and/or WhatsApp account to an adversary-controlled device. For example, adversaries may masquerade QR codes as group invites, security alerts or as legitimate instructions for pairing linked devices. Upon scanning the QR code in Signal, users may click on the “Transfer Message History” option to sync the linked devices, which may allow adversaries to collect more information about the user. Upon scanning the QR code in WhatsApp, the user’s device will automatically send an end-to-end encrypted copy of recent message history to the adversary-controlled device.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
G1033: Star Blizzard
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[1][2][3][4]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 911c83be8ead… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
WhatsApp_LinkDevice_NoDate
WhatsApp. (n.d.). How to link a device. Retrieved May 9, 2025.
Open source URL -
[2]
Signal_LinkedDevices_NoDate
Signal. (n.d.). Linked Devices. Retrieved May 9, 2025.
Open source URL -
[3]
mitre-attack T1676Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.