Hackers are bypassing WhatsApp’s encryption to hijack accounts using a novel scam called “GhostPairing.” This attack doesn’t break the app’s security directly; instead, it manipulates users into granting attackers access through a clever abuse of WhatsApp’s own device-linking feature. The scheme leverages psychological manipulation to create a “snowball effect,” spreading rapidly as compromised accounts are used to target new victims.
How the Scam Works: A Step-by-Step Breakdown
The GhostPairing scam begins with a seemingly harmless message sent to a target, often appearing to originate from a trusted contact. This message contains a link that promises access to content (like a photo), but instead directs the user to a fake Facebook login page. Crucially, this page doesn’t ask for passwords. It initiates WhatsApp’s device pairing process by displaying a verification code which the victim is instructed to enter into their WhatsApp app.
By entering the code, the user unknowingly authorizes an unknown device – controlled by the attacker – to link to their account. This grants the hacker full access to all messages, photos, videos, and voice notes in real time.
The Snowball Effect & Growing Threat Landscape
Security researchers at Avast uncovered this exploit and warn of its dangerous scalability. Because the scam relies on tricking users into self-authorizing access, it spreads quickly as compromised accounts are used to attack others. This is not simply a technical breach, but a social engineering attack that exploits trust.
“This campaign highlights a growing shift in cybercrime: breaching people’s trust is as important as breaching their security systems,” says Luis Corrons, Security Evangelist at Avast.
The effectiveness of GhostPairing illustrates a broader trend in cybercrime: attackers are increasingly prioritizing manipulation over brute-force methods. They exploit familiar mechanisms like QR codes and pairing prompts to make malicious actions appear routine and harmless. This isn’t just a WhatsApp problem; it’s a warning for any platform relying on fast, low-visibility device pairing.
Protecting Your Account: What You Can Do
WhatsApp users can check which devices have access to their account by going to Settings > Linked Devices. Any unrecognized devices should be removed immediately. Victims may not even realize they’ve been hacked, making regular checks essential.
The success of GhostPairing underscores the need for security measures that account for both intentional user actions and the ways in which attackers can trick them into making harmful choices. The line between legitimate use and exploitation is blurring, demanding a more nuanced approach to online security.
This attack highlights how quickly trust can become exploitable when authentication becomes automatic and invisible.
