CERT-In warns of 'GhostPairing' targeting Indian WhatsApp users: What is it

CERT-In has flagged a high-severity WhatsApp account takeover technique that exploits device linking to give attackers silent access without passwords or SIM swaps

India’s cyber security agency CERT-In (Computer Emergency Response Team) has issued a high-severity warning for WhatsApp users, flagging a new account takeover technique dubbed “GhostPairing”. The advisory warns that attackers are exploiting WhatsApp’s device-linking feature to gain full control of accounts without needing passwords, OTPs, or SIM swaps.

 

The attack relies on social engineering rather than a traditional software flaw, making it harder for users to detect until significant damage has already been done.

What is ‘GhostPairing’?

GhostPairing is a newly identified cyber campaign that abuses WhatsApp’s device-linking feature. CERT-In says malicious actors are using pairing codes to secretly add their own browser as a trusted device on a victim’s WhatsApp account, without triggering standard authentication checks.

 

 

In practical terms, this allows attackers to hijack an account without stealing passwords or performing SIM swap attacks. Once the attacker’s device is linked, it gains nearly the same level of access as WhatsApp Web.

 

CERT-In notes that attackers can read synced messages, receive new messages in real time, view photos, videos and voice notes, and send messages to the victim’s contacts and group chats. 

How the attack works

According to the CERT-In advisory, the GhostPairing campaign typically begins with a message sent from a trusted contact. This contact’s account may already be compromised. The message often reads something like “Hi, check this photo” and includes a link with a Facebook-style preview to appear legitimate.

 

When users click the link, they are taken to a fake Facebook or WhatsApp viewer page that prompts them to “verify” their identity to view the content. At this stage, attackers trick users into entering their phone number on the fraudulent site.

 

Behind the scenes, the attacker initiates WhatsApp’s legitimate device-linking process on their own browser. WhatsApp then generates a pairing code, which the victim is prompted to enter into their WhatsApp app. By doing so, the user unknowingly authorises the attacker’s browser as a linked device. 

  Because the attack uses WhatsApp’s official linked-device mechanism, the victim’s phone continues to work normally, with no forced logout or obvious warning. CERT-In says this allows attackers to remain undetected for extended periods while monitoring conversations or impersonating the user.

Why CERT-In says it is high risk

CERT-In has rated the GhostPairing campaign as “high severity” due to the level of access attackers gain and the ease with which the attack can spread. Once an account is compromised, attackers often use it to message the victim’s contacts with the same malicious links, rapidly expanding the attack chain.

 

Since the primary WhatsApp account remains active on the victim’s phone, users may not immediately realise their account has been hijacked, increasing the risk of data exposure and impersonation.

How to protect your WhatsApp account

CERT-In has issued a set of recommendations for both individuals and organisations to reduce the risk of account takeovers.

 

For individual users, the agency advises avoiding suspicious links even if they come from known contacts, and never entering your phone number on external websites claiming to be WhatsApp or Facebook.

 

Users are also urged to regularly check linked devices by going to WhatsApp Settings > Linked Devices. If any unfamiliar device appears in the list, it should be logged out immediately.