GhostPairing Hijacks WhatsApp by Abusing Device Linking, Researchers Warn
Victims are lured by Facebook‑style messages into entering pairing codes that quietly add an attacker’s browser as a linked device.
Overview
- Gen Digital documented active GhostPairing activity in Czechia and warns it can spread as compromised accounts message trusted contacts and groups.
- The lure typically says a contact found the victim’s photo and links to a Facebook lookalike site that triggers WhatsApp’s pairing flow.
- Attackers prefer numeric pairing codes over QR scans, as users often mistake the prompt for routine verification and complete the link.
- Once linked, intruders gain full WhatsApp Web access to read and download chats and media, impersonate the user, and persist unnoticed unless removed.
- The campaign avoids password theft or SIM attacks, uses reusable scam kits and photo‑themed domains, and experts advise checking Linked Devices and enabling two‑step verification, noting similar pairing features on other platforms could be abused.