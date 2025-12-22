India’s cyber security agency CERT-In (Computer Emergency Response Team) has issued a high-severity warning for WhatsApp users, flagging a new account takeover technique dubbed “GhostPairing”. The advisory warns that attackers are exploiting WhatsApp’s device-linking feature to gain full control of accounts without needing passwords, OTPs, or SIM swaps.

The attack relies on social engineering rather than a traditional software flaw, making it harder for users to detect until significant damage has already been done.

What is ‘GhostPairing’?

GhostPairing is a newly identified cyber campaign that abuses WhatsApp’s device-linking feature. CERT-In says malicious actors are using pairing codes to secretly add their own browser as a trusted device on a victim’s WhatsApp account, without triggering standard authentication checks.

In practical terms, this allows attackers to hijack an account without stealing passwords or performing SIM swap attacks. Once the attacker’s device is linked, it gains nearly the same level of access as WhatsApp Web. ALSO READ: India's AI journey: From adoption to leadership, but impact still low CERT-In notes that attackers can read synced messages, receive new messages in real time, view photos, videos and voice notes, and send messages to the victim’s contacts and group chats. How the attack works According to the CERT-In advisory, the GhostPairing campaign typically begins with a message sent from a trusted contact. This contact’s account may already be compromised. The message often reads something like “Hi, check this photo” and includes a link with a Facebook-style preview to appear legitimate.

When users click the link, they are taken to a fake Facebook or WhatsApp viewer page that prompts them to “verify” their identity to view the content. At this stage, attackers trick users into entering their phone number on the fraudulent site. Behind the scenes, the attacker initiates WhatsApp’s legitimate device-linking process on their own browser. WhatsApp then generates a pairing code, which the victim is prompted to enter into their WhatsApp app. By doing so, the user unknowingly authorises the attacker’s browser as a linked device. ALSO READ: WhatsApp brings new features across calls, chats, Meta AI: Check what's new

Because the attack uses WhatsApp’s official linked-device mechanism, the victim’s phone continues to work normally, with no forced logout or obvious warning. CERT-In says this allows attackers to remain undetected for extended periods while monitoring conversations or impersonating the user. Why CERT-In says it is high risk CERT-In has rated the GhostPairing campaign as “high severity” due to the level of access attackers gain and the ease with which the attack can spread. Once an account is compromised, attackers often use it to message the victim’s contacts with the same malicious links, rapidly expanding the attack chain. Since the primary WhatsApp account remains active on the victim’s phone, users may not immediately realise their account has been hijacked, increasing the risk of data exposure and impersonation.