A new WhatsApp account takeover technique dubbed the GhostPairing grants attackers full access to a victim's messages and media without stealing passwords or hijacking SIMs.
Instead, it leverages WhatsApp's own device linking functionality, normally used to authorize desktop and web sessions, to silently enroll the attacker's browser as a trusted device.
The attack was jointly analyzed by GenDigital‘s Luis Corrons and malware researcher Martin Chlumecký, who first observed the campaign in late 2025 targeting users in Czechia. Although the messages appeared localized, the underlying infrastructure and templates were language-agnostic, allowing this method to be easily reused in other regions.
GenDigital
Victims typically receive a brief WhatsApp message from a known contact saying something like, “Hey, I just found your photo!”, followed by a link preview mimicking Facebook. Clicking the link leads to a fake Facebook-branded viewer page, which prompts the user to “verify” their identity before viewing the supposed content. In reality, this page is a relay for the attacker, exploiting WhatsApp's “link device via phone number” feature. Once the victim enters their phone number and follows a pairing code prompt, they unknowingly grant the attacker persistent access to their WhatsApp account.
GenDigital
Unlike traditional phishing or hijacking techniques, this method doesn't require stealing login credentials or intercepting messages. Instead, it manipulates users into completing WhatsApp's own device linking flow. The result is a covert browser session that remains active until explicitly removed via the app's settings.
GenDigital
GenDigital explains that the campaign prefers numeric pairing codes over QR codes because the entire attack can then unfold on a single device, typically the victim's smartphone, making the social engineering more seamless and scalable. While QR-based attacks are technically possible, they are far less practical, as most users would struggle to scan a code displayed on the same device they're using.
Once linked, the attacker's device gains broad access to the victim's account, including:
- Reading past and current messages
- Viewing and downloading photos, videos, and audio notes
- Impersonating the user in conversations
- Forwarding the lure to other contacts and group chats
Because the original device remains fully functional, many victims are unaware their account has been compromised. The attack spreads laterally through real social connections, not random spam, making it significantly more effective. GenDigital notes that this “trust-based” propagation is what enables GhostPairing to grow like a snowball; each compromised user unknowingly helps expand the campaign.
Researchers also point to signs that GhostPairing may be powered by a phishing kit sold or shared among threat actors. The same spoofed Facebook viewer template appears across multiple domains, such as photobox[.]life, yourphoto[.]life, and fotoface[.]top, all using consistent layout patterns and structures. These kits can be quickly reconfigured and redeployed when domains are taken down, minimizing downtime for attackers.
WhatsApp users should regularly review linked devices from the app's Settings menu and log out of any unfamiliar sessions. Also, remember that WhatsApp pairing should only be initiated from within the app, not through links or verification pages.
Leave a Reply