There’s a new WhatsApp-related threat in town that endangers the ownership of people’s WhatsApp accounts. The Indian Computer Emergency Response Team (CERT-In) has issued a high-priority advisory regarding a dangerous new cyberattack method known as GhostPairing. As deadly as the name sounds, this cyberattack technique allows threat actors to gain total, persistent control over a victim’s WhatsApp account, without needing traditional hacking methods like SIM swapping or cracking passwords.
While WhatsApp developer Meta has yet to issue a fix or a solution to help millions of users in India protect their accounts, the Indian government agency has warned people about the vulnerability and urged users to follow certain protocols to ensure that their WhatsApp accounts aren’t hacked by malicious actors.
Since WhatsApp serves as the primary communication tool for millions of Indians, the government agency is urging immediate vigilance to prevent widespread activity of compromised accounts.
WhatsApp GhostPairing attack: How it works
The WhatsApp GhostPairing attack is essentially a fine example of social engineering. The cyberattack exploits the multi-device login feature of WhatsApp, gaining access to the victim’s account without leaving any trace or hint.
Step 1:
The attack usually begins with a message from a friend or family member whose account has already been hijacked. The message could be as simple and enticing as, “Hi, check this photo!” or “Did you see yourself in this video?” This is usually attached to a URL that looks like a legitimate Facebook or Instagram preview.
Step 2:
When the victim clicks the link, they are directed to a well-designed counterfeit website. To unlock the media, the site asks the user to “Verify Identity via WhatsApp.” At this stage, the site requests the user’s mobile number.
Step 3:
While the user waits for the photo to load, the attacker—monitoring the site in real-time—enters the victim’s number into the “Link with Phone Number” section of a fresh WhatsApp installation on their own server.
The victim then receives a legitimate system notification from WhatsApp containing a pairing code. The counterfeit website prompts the user, “Enter the code shown on your screen to verify.” By entering that code into the website, the victim unknowingly authorises the attacker’s device as a “Linked Device.”
WhatsApp GhostPairing is more dangerous than traditional hacks
Unlike a total account takeover, where a user is logged out of their phone (alerting them immediately), GhostPairing is stealthy.
– The attacker can read every incoming and outgoing message, view “View Once” media, and listen to voice notes without the user ever knowing.
– Attackers use the “Ghost” session to message the victim’s contacts, often asking for emergency financial help or spreading the malware further.
– Because the attacker has access to the “Linked Devices” portal, they can sync years of chat history to their own machine in minutes.
CERT-In warning: Here’s how to keep your WhatsApp safe from GhostPairing
To mitigate the risk of WhatsApp GhostPairing, CERT-In has released a specific set of safety guidelines:
Audit your “Linked Devices” weekly:
Navigate to Settings > Linked Devices. If you see a browser (like “Chrome on Linux”) or a device you don’t recognise, tap it and select “Log Out” immediately.
Never share codes:
Never enter a WhatsApp-generated pairing code into any website, even if it claims to be for “verification” or “age-gating.” Only the WhatsApp Web portal requires you to type in a code, or scan the QR code.
Verify offline:
If a friend sends you a suspicious link, call them on a standard cellular line to confirm they actually sent it.
Enable 2-step verification:
While GhostPairing bypasses the initial login, having a PIN enabled on your account adds a layer of friction that can occasionally disrupt the pairing process on certain versions of the app.
