• Posted by: Eng. Donya Bino
• February 10, 2026

GhostPairing Attack: WhatsApp Hijacking Explained

In December 2025, Gen Digital (the parent company of both Norton and Avast) discovered a new WhatsApp account takeover campaign called GhostPairing, which is a social engineering attack based on the legitimate device linking feature of WhatsApp that is used to link devices to WhatsApp Web and/or WhatsApp Desktop. This attack is able to silently link an attacker's browser as an additional device to a victim's account.

The name GhostPairing comes from the fact that the victim unwittingly follows WhatsApp's pairing flow on their own, with no passwords, SIM swap, or exploit needed. Once the attacker is linked to the victim's account, they obtain complete real-time access to the victim's messages, media, contacts, and groups while the victim's phone continues to process normally through WhatsApp without immediate logout or other obvious means of alerting them of an attack.

Although the attack began in the Czech Republic, warnings about the GhostPairing attack were issued globally by CERT-In (India), Malwarebytes, CSO Online, and others by the end of 2025 or early 2026 due to the method's tendency to be able to chain compromised contacts together in order to lure victims.

How the GhostPairing Attack Works Step by Step
1. Initial Lure (Usually from a Compromised Contact) Victim is sent a message on WhatsApp by a contact (friend/family), with the message containing something such as:
a) "Is this you in this photo? Check here!"
b) "Found your picture – view it quick"
c) "Urgent: look at this before it's gone" This e-message has shortened link in it.

2. Phishing Page Tricks the Victim The page that opens has a fake page that imitates a photo viewer or content previewer, or a verification page. It asks the victim to submit their phone number or shows the victim a QR code directly.

3. Abuse of WhatsApp Device Pairing Two main variants:
a) QR Code Variant: Fake page features a QR Code that resembles something sent over WhatsApp. Victim scans it using WhatsApp app → The WhatsApp app generates a pairing code/session token → Attacker captures the pairing code/session token; attacker links their browser.
b) Numeric Code Variant (more common): Victim enters phone number → attacker sends official "link device via phone number" request on the victim's phone → victim's phone displays a legitimate prompt to pair the device ("Enter code to link device") → victim enters the code thinking they are being normally verified → attacker's browser is added as a trusted device.

4. Full Access Achieved "Attacker gets full access to all chats in real time, downloads all media, reads all groups, and can send messages impersonating the victim. Victim often does not notice until hours or days later because their phone remains online and no password was taken."

5. Propagation Attacker uses hijacked account to send the same lure to victim's contacts/groups → chain reaction spreads the attack.

Why It's Dangerous
1. Non-traditional credentials stolen; so not affected by two factor and mobile SMS OTPs in most cases.
2. Continual access: attacker remains connected until manually removed from an account.
3. Use of trusted connections to compromise the user from an involved party.
4. Allows for money scam (request for funds), access to private information/data (photos/chat), or obtain further means of communication from the compromised user.
5. The compromised user can also be used for a larger scope of compromise (business/family groups).

Essentials WhatsApp User Protection Guidelines
1. Do not ever scan a QR code or enter a pairing code from your WhatsApp message. No matter whether it appears genuine or is from one of your WhatsApp contacts, WhatsApp will not ever request your pairing code from an external website.
2. If you receive a suspicious WhatsApp message, confirm offline whether your contact actually sent the message by calling or sending a voice note.
3. Check the Whastapp Linked Devices section right away. Periodically check it. Go to WhatsApp, then Settings > Linked Devices; any unknown browsers or sessions should be logged out of right away.
4. By using WhatsApp Two-Step Verification, you create an additional layer of security for all links you add (in the WhatsApp app, Settings > Account > Two-Step Verification > set a PIN).
5. Do not click on links from WhatsApp messages, particularly those stating "can't view this photo" or "please verify this message."
6. If you suspect your account have been compromised, log out of your devices from your trusted phone, change your Two-Step Verification PIN (if set) and notify your contacts by saying "Please ignore my messages today," and report the incident on WhatsApp.
7. Consider using a mobile antivirus (e.g. Bitdefender, Malwarebytes) that will identify phishing domains, and make sure your OS as well as WhatsApp are current.

GhostPairing shows that legitimate features combined with social engineering can be used as weapons. When using WhatsApp treat any "photo/view/verify" message from your contacts as suspicious until verified otherwise.