GhostPairing's Stealthy Abuse Of WhatsApp's Device Linking

A new account takeover method called GhostPairing is now targeting WhatsApp. This exploitation doesn't use stolen passwords, SIM swapping, or zero-day vulnerabilities; instead, it manipulates WhatsApp's device linking feature through advanced social engineering, covertly granting attackers persistent access to users' accounts.

The GhostPairing campaign first appeared in Czechia, as detailed in a public report by Gen Digital (formerly Symantec Corporation and NortonLifeLock). Victims received short messages from contacts, such as "Hey, I just found your photo!", designed to prompt interaction.

These messages included links that appeared as Facebook preview cards but directed users to imitation Facebook-style pages. On these pages, victims were instructed to "verify" before viewing the alleged content, with language resembling legitimate web verification prompts.

The fake page did not connect to Facebook. Instead, it operated as an intermediary, requesting victims enter their phone numbers and confirm a numeric code delivered via WhatsApp's device linking mechanism. By entering these codes, users unknowingly authorized a second device—the attacker's browser—as a trusted session on their account.

Unlike conventional phishing, which steals passwords or intercepts two-factor authentication secrets, GhostPairing utilizes WhatsApp's own protective features against the user. The numeric pairing process resembles familiar multifactor verification flows on many services, which lowers suspicion and entices users to complete the steps without deep scrutiny.

Once the attacker's device is linked, it receives messages in real-time, gains access to historical chat records (to the extent they have been synced), and can view media files, such as photos, videos, and voice notes.

This access remains persistent. Linked devices stay connected until manually removed in WhatsApp's Settings → Linked Devices. Many victims may not notice the compromise until significant consequences occur. The original phone continues functioning normally, further obscuring the incident. Compromised accounts can then be used to spread similar lure messages to contacts and groups, facilitating trust-based propagation.

The attack illustrates how legitimate features can be exploited if user awareness and clear instructions are lacking. The campaign targets trusted contact relationships, with messages that seem to originate from known individuals.

The general sequence is as follows:

• A victim receives a short, friendly message from a known contact with a preview that appears to be a legitimate link.
• The victim clicks the link, expecting to see a photo or content related to that contact.
• The victim lands on a fake page that mimics a Facebook viewer and requests verification steps.
• The victim enters their phone number and the pairing code generated by WhatsApp.
• WhatsApp interprets this as legitimate consent to add a second device, the attacker's, to the account.

Once linked, the attacker's browser session remains trusted and can operate in parallel with the victim's legitimate device. The attacker can read messages, impersonate the victim, and further distribute social engineering messages to new targets.

Several features of this attack are particularly concerning:

• No stolen credentials are needed. The attacker never needs the victim's password, email, or SMS codes beyond the pairing code that the victim supplies.
• Visibility to victims is minimal. Because WhatsApp does not loudly notify users in everyday usage about newly linked devices, victims may remain unaware of the compromise.
• Propagation is self-amplifying. Leveraging compromised accounts to send lures to real contacts significantly increases the likelihood of success.

These factors make GhostPairing a potent social engineering attack that exploits trust networks and WhatsApp's features. To reduce risk, users should regularly check the Linked Devices list in WhatsApp's settings, remove any devices they do not recognize.

Also be sure to enable two-step verification within WhatsApp, and avoid entering pairing codes or phone numbers on websites—even if prompted by a familiar contact. When linking new devices you should use only the official WhatsApp processes.

Historical Abuse of Messaging App Account Linkage

The GhostPairing campaign emerges amid prior abuses of "linked device" features in messaging apps by state-aligned threat actors, including those associated with Russian intelligence operations. Although no public attribution has been made for GhostPairing, it uses methods similar to those observed in campaigns targeting Signal Messenger and other platforms in geopolitical contexts.

According to research by Google's Threat Intelligence Group (GTIG), multiple Russia-aligned threat clusters have targeted Signal Messenger by exploiting the application's linked devices functionality. Signal — like WhatsApp, allows users to link multiple devices, typically by scanning a QR code.

Russian threat actors adapted this feature by creating malicious QR codes embedded in phishing lures that appeared to be legitimate group invitations, security alerts, or device pairing instructions. Scanning these codes does not add a user to a group; instead, it silently links the victim's Signal account to a device controlled by the attacker.

These compromised linked sessions enable attackers to receive the same encrypted messages as the intended user in real-time. This method does not break encryption; the attacker simply gains legitimate access by convincing the user to consent to the device link. As GTIG noted, this approach has become one of the most novel and widely used techniques in Russian-aligned phishing operations against Signal accounts.

Two distinct Russian threat clusters were highlighted:

• UNC5792 altered legitimate Signal group invite pages to redirect users to a malicious device-linking URL.
• UNC4221 utilized a targeted phishing kit that impersonated software reportedly used by Ukrainian military personnel, embedding malicious QR codes to link Signal accounts to the attacker's devices.

Beyond remote phishing, some operations extended into close-contact exploitation, where attackers with brief physical access to a target's unlocked phone linked it to their own devices for later exploitation.

The historical activity includes several recurring tactics:

• Malicious QR codes or modified invite mechanisms disguised as user-expected interactions.
• Phishing pages that mimic official guides for linking devices, but, in reality, trigger unintended linked sessions.
• Targeting high-value individuals whose communications were of intelligence interest, such as military personnel, diplomats, activists, and journalists.

These campaigns did not exploit cryptographic flaws in Signal or WhatsApp. Instead, they relied on social engineering combined with legitimate app functionality—a commonality with GhostPairing. Such tactics are stealthy and may go undetected, as users are not always immediately suspicious of added linked devices.

Both contemporary GhostPairing attacks and earlier Russian state-aligned abuses illustrate a common lesson: as messaging platforms add convenience features like multi-device support, attackers are incentivized to misuse those capabilities. Users are the last line of defense.

To improve security, do not respond to unsolicited code prompts, frequently audit your linked devices in app settings, and only update or link devices through official app procedures. Stay alert to any unfamiliar device activity or messages that prompt you to enter code.