Signal patches decrypted attachment exfiltration via Intent redirection

TL;DR — Signal Android’s non-Play “website” build exposed a local, zero-permission data exfil path: a malicious app could coerce Signal into granting read access to decrypted attachments (photos, videos, documents, voice notes) via Intent redirection.

What happened

Signal is a widely used end-to-end encrypted messenger; on Android it’s distributed via multiple channels (Google Play, GitHub releases, and a direct-download “website” APK).

GitHub Security Lab (GHSL) disclosed that Signal for Android’s website flavor (downloaded from https://signal.org/android/apk) had an Intent redirection chain that allows another installed app with zero declared permissions to exfiltrate decrypted attachment bytes. The issue is rooted in an exported, unprotected BroadcastReceiver used by the website build’s self-update flow (it installs APK updates via Android’s PackageInstaller callbacks). A malicious app can explicitly target this receiver, provide attacker-controlled extras, and trick Signal into startActivity() on an attacker-supplied inner intent, preserving FLAG_GRANT_READ_URI_PERMISSION.

The disclosure describes the highest-impact target as Signal’s attachment content provider (PartProvider), which returns decrypted attachment data when accessed via content://…/part/<id> URIs. Attachment IDs are described as trivially enumerable (sequential row IDs), enabling bulk exfiltration.

This is a high-signal reminder for mobile and platform teams: self-updaters and exported components in alternative distribution flavors are a recurring “shadow attack surface” that often escapes typical Play-store hardening assumptions.

Who is impacted

• Users running the Signal Android website flavor (direct APK distribution) versions >= v6.38.0 and < v8.4.2.
• Threat model: a malicious app installed on the same device (no permissions required) that can send explicit broadcasts and receive URI grants.
• The advisory notes that the play (Google Play) and github flavors do not register the exported update receiver described.

What to do now

• Follow vendor remediation guidance and apply the fixed release for the affected distribution flavor.

  • "the fix was committed and the website apk was updated to v8.4.2"

• For fleet / managed-device environments: inventory devices that installed Signal from https://signal.org/android/apk (vs Play) and verify they are on the updated website APK.
• Treat this as a local app-to-app data exfiltration class incident:
  • If compromise is suspected, assume attachments may have been exposed to another app on-device and respond accordingly (risk assessment, sensitive-data review).
• Platform/AppSec follow-ups for Android teams:
  • Audit exported components in “alternate channel” build flavors (self-updaters, debug receivers, deep-link handlers) and require explicit android:permission and/or sender verification for any exported receiver that can relaunch intents or grant URI permissions.