GhostPairing: New Attack Hijacks WhatsApp via Linked Devices, Tricking Users with Fake Facebook QR Code
Do Son 
A deceptive new cyberattack campaign is turning one of WhatsApp’s most convenient features into a weapon, allowing hackers to take full control of user accounts without ever stealing a password or touching a SIM card. Dubbed “GhostPairing” by researchers at Gen Digital, the attack relies not on sophisticated code exploits, but on a clever manipulation of user trust and the “linked devices” function found in modern messaging apps.
The attack typically begins with a message from a compromised contact, utilizing a hook that is almost impossible for many to ignore. The victim receives a text saying something innocuous like, “Hey, I just found your photo!” accompanied by a link that generates a legitimate-looking preview, often imitating a Facebook post.
“The message includes a link that appears as a Facebook style preview. When users open it, they see a page that imitates a Facebook viewer and asks them to ‘verify’ before they can see the content”.
This “verification” step is the trap. The page guides the user through a quick sequence of actions—steps that seem like standard security checks but are actually authorizing a hostile takeover.
Unlike traditional attacks that try to harvest login credentials, GhostPairing tricks the victim into essentially handing over the keys to the castle. The attackers use the verification process to initiate WhatsApp’s own device pairing flow.
By prompting the user to scan a QR code or enter a numeric code under the guise of verifying their identity, the victim unwittingly links the attacker’s browser to their WhatsApp account.
“There is no password theft or SIM swap – instead, the user approves the attacker themselves by entering a pairing code that looks like normal verification”.
Once the link is established, the attacker has a persistent, invisible window into the victim’s digital life. They can send messages, read private conversations, and spread the malware further—all while the legitimate owner continues to use their phone, oblivious to the “ghost” device running in the background.
The genius—and danger—of the GhostPairing attack lies in its simplicity. It does not attempt to break encryption or bypass two-factor authentication in the traditional sense. Instead, it exploits the intended design of the software.
“The campaign described here illustrates a subtle shift in how some attackers operate. Instead of breaking cryptography or circumventing authentication, they use the product as designed and persuade users to cooperate at just the right moment”.
Gen Digital researchers warn that this technique represents a broader threat to the digital ecosystem, as many platforms now prioritize seamless multi-device connectivity. “The design pattern that made GhostPairing possible is not unique to WhatsApp. Any platform that combines very easy pairing with low visibility of linked devices gives attackers something to work with”.
The campaign was first detected in Czechia but has the potential to spread globally due to its language-agnostic methodology. The incident serves as a stark reminder that in an era of convenient connectivity, a single moment of inattention can have lasting consequences.
“GhostPairing should be read as a warning, not just a WhatsApp incident. The more our digital lives depend on quick QR scans and ‘approve on your phone’ flows, the more important it becomes to design these steps so that a single moment of inattention does not quietly create a ghost device that lives in the background for months”.
Related Posts:
- QR Codes Coming to Linux Kernel Panics with 6.12 Release
- The Hidden Danger of PDF Files with Embedded QR Codes, Researchers Warn
- QR Code Phishing Attacks Escalate: Sophisticated Campaign Targets Chinese Citizens
- “Unicode QR Code Phishing”: The New Threat You Need to Know
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
