Security researchers at Gen Digital have recently discovered a newly observed attack technique targeting WhatsApp, which enables attackers to gain persistent access to user accounts by abusing WhatsApp’s legitimate device-linking functionality.
The technique, referred to as a GhostPairing attack, does not rely on stolen passwords, SIM swapping, or malware. Instead, attackers use social engineering to trick victims into completing WhatsApp’s own device pairing process, effectively adding the attacker’s browser as a hidden linked device on the victim’s account.
How the Attack Works
According to the research, victims receive a short message from a known contact, typically containing casual language such as “Hey, I just found your photo!” along with a link. The link previews inside WhatsApp and leads to a page designed to resemble a Facebook photo viewer.
Once opened, the page prompts the user to “verify” before viewing the content. Behind the scenes, the site interacts with WhatsApp’s legitimate device-linking infrastructure. Users are instructed to enter a numeric pairing code inside WhatsApp, believing they are completing a normal verification step.
But by entering the code, the user unknowingly authorizes the attacker’s browser as a linked device. From WhatsApp’s perspective, this is a valid and approved device pairing.
Gen reports that the campaign was first observed in Czechia, where compromised accounts began sending similar lure messages to contacts and group chats. The infrastructure behind the links consisted of multiple look-alike domains themed around photos and posts, none of which were affiliated with Facebook.
The attack doesn’t depend on language or region and can be reused across different countries by modifying the lure text.
Impact of a Successful GhostPairing Attack
Once a device is linked, attackers gain the same access as a legitimate WhatsApp Web session. This includes reading synced conversations, receiving new messages in real time, downloading media, and sending messages as the victim. The victim’s phone continues to function normally, and the compromise can remain unnoticed unless the linked device is manually removed.
Researchers note that restricting or reporting the account does not consistently remove the unauthorized linked session. Users should review their WhatsApp Linked Devices settings for any unfamiliar sessions and treat unexpected requests to enter pairing codes or scan QR codes as suspicious, even when messages appear to come from known contacts.
Leave a Reply