Executive Summary

India's Computer Emergency Response Team (CERT-In) issued a high-severity advisory on December 19, 2025, warning of a social engineering campaign named "GhostPairing." This attack targets WhatsApp users by exploiting the platform's legitimate 'Link a device' feature. Attackers trick victims into visiting a malicious website and scanning a QR code or entering a pairing code, which then links the attacker's device to the victim's WhatsApp account as a 'companion' device. Once linked, the attacker gains persistent, real-time access to the victim's chats, contacts, and media. The attack is particularly insidious because it does not require stealing the victim's password or phone, nor does it involve a traditional SIM swap. It relies entirely on social engineering to manipulate the user into authorizing the attacker's access.

Threat Overview

The "GhostPairing" attack is a classic example of social engineering fused with the abuse of a legitimate application feature. The attack flow is as follows:

1. Lure: The victim receives a message, often from a compromised account of a trusted contact, containing a tempting link (e.g., "Check out this photo of you!"). The message creates a sense of urgency or curiosity.
2. Redirect: Clicking the link takes the victim to a malicious website controlled by the attacker. This website is designed to look convincing, perhaps like a content verification page, a login portal, or a prize-winning notification.
3. Deception: The website instructs the victim to take an action to 'verify their identity' or 'view the content.' This action involves tricking them into using WhatsApp's device linking feature. The site may display a QR code and instruct the user to scan it with their WhatsApp app (Settings > Linked Devices > Link a Device) or provide a one-time code to be entered on the page.
4. Compromise: The victim, believing they are following a legitimate process, scans the attacker's QR code or provides the pairing code. This action authorizes the attacker's device (e.g., a browser session running WhatsApp Web) to be linked to their account.
5. Access: The attacker now has a 'ghost' session of the victim's WhatsApp account. They can read all incoming and outgoing messages, access historical chats (if synced), and see all contacts and media. They can also send messages impersonating the victim, allowing them to propagate the attack to the victim's contacts or engage in fraud.

Technical Analysis

This is not a technical vulnerability in WhatsApp, but rather an abuse of a feature by design. The core of the attack is social engineering.

• Technique: T1566.002 - Spearphishing Link The initial message with the malicious link is a form of spearphishing.
• Technique: T1204.002 - Malicious File (User Execution) The user is the one who ultimately performs the action that leads to compromise. The attacker simply provides the instructions and the mechanism (the QR code).
• Impact: The attacker gains access similar to T1529 - System Shutdown/Reboot in that it's a direct manipulation of a user's primary communication tool, leading to significant personal and potentially financial impact.

Impact Assessment

The impact of a successful GhostPairing attack can be severe:

• Privacy Invasion: The attacker has complete access to the victim's private conversations, photos, and videos.
• Impersonation and Fraud: The attacker can impersonate the victim to solicit money from friends and family, spread misinformation, or ask for sensitive information.
• Lateral Spreading: The compromised account becomes a launchpad to send the malicious link to all of the victim's contacts, rapidly spreading the attack.
• Blackmail: The attacker could use sensitive information found in the chats to extort or blackmail the victim.
• Corporate Risk: If the victim uses WhatsApp for business communications, the attacker could gain access to sensitive corporate data, client information, or internal discussions.

Detection & Response

Detection of a GhostPairing compromise relies on user vigilance.

D3FEND Reference: D3-LUC: Linked-device User Content Heuristics (Conceptual)

1. Regularly Check Linked Devices: The most effective way to detect this compromise is to be proactive. Users should regularly navigate to WhatsApp Settings > Linked Devices. This screen will show all computers and devices currently linked to the account. Any device that is not recognized should be immediately logged out by tapping on it and selecting 'Log Out'.
2. Unusual Activity: If friends or contacts report receiving strange messages from you that you did not send, this is a major red flag that your account may be compromised.
3. WhatsApp Web Notifications: WhatsApp on mobile devices typically shows a persistent notification when a Web or Desktop session is active. Users should pay attention to this notification. If it is active when you are not using a linked device, your account may be compromised.

Mitigation

Mitigation is entirely based on user awareness and cautious behavior.

D3FEND Reference: D3-UT: User Training

1. Be Skeptical of Unsolicited Links: Never click on suspicious links or open attachments, even if they appear to come from a trusted contact. Verify with the person through another communication channel (like a phone call) if a message seems unusual.
2. Never Scan QR Codes from Untrusted Sources: Only use the 'Link a Device' feature for your own computers or trusted devices. Never scan a QR code presented on a website as part of a verification or login process.
3. Protect Your Phone: Do not leave your phone unlocked and unattended. Physical access to your phone is all someone needs to link their device in seconds.
4. Enable Two-Step Verification: While it won't prevent the GhostPairing attack itself (as the attack doesn't involve re-registering the account), enabling Two-Step Verification in WhatsApp (Settings > Account > Two-Step Verification) provides a crucial layer of protection against other account takeover methods like SIM swapping.
5. Educate Others: Share information about this and similar scams with friends and family to raise collective awareness.