Overview
- Researchers say attackers trick users into approving access by sending a link from a known contact to a fake viewer page that requests a phone number and initiates WhatsApp’s legitimate device-linking flow.
- A numeric pairing-code variant is now favored because it can work even when the scam page and WhatsApp run on the same phone.
- Once linked, the attacker’s session functions like WhatsApp Web, enabling real-time reading of chats, downloading of media, and impersonation of the victim to message contacts.
- Experts stress that end-to-end encryption is not broken and no passwords or SIMs are stolen, as the compromise relies on social engineering to add an authorized device.
- Security guidance includes checking Settings > Linked devices to remove unfamiliar sessions, avoiding entering pairing codes prompted by links, enabling two-step verification, and warning contacts if an unknown device is found.