The GhostPairing attack is a sophisticated social engineering campaign targeting WhatsApp users, discovered and named by security researchers at Gen Digital (owners of Norton, Avast, Avira, and AVG) in December 2025. It exploits WhatsApp's legitimate device linking (or "companion mode") feature, which allows users to connect up to four additional devices (like WhatsApp Web or desktop) to their account for multi-device access.
Unlike traditional hacks that steal passwords, SIM cards, or exploit software bugs, GhostPairing tricks victims into manually approving an attacker's device as a trusted linked session. This grants the attacker full, persistent access to the victim's chats without breaking end-to-end encryption—they simply become an "invisible" (ghost) linked device.
The attack was first widely reported in mid-December 2025, with initial detections in Czechia, but it has spread globally as compromised accounts propagate the scam.
How the Attack Works
- Initial Lure: The victim receives a WhatsApp message from a trusted contact (often a previously compromised account) with a short, intriguing teaser like "Hey, I just found your photo!" or similar, accompanied by a link that previews as a Facebook-style image.
- Fake Verification Page: Clicking the link opens a phishing site mimicking Facebook (e.g., domains like photobox.life or yourphoto.life). It prompts the user to "verify" or "log in" by entering their phone number to view the content.
- Device Pairing Hijack:
- The attacker uses the provided phone number to initiate WhatsApp's official "link device via phone number" process (an alternative to QR code scanning).
- WhatsApp sends an 8-digit pairing code prompt to the victim's phone.
- The fake page displays this code (relayed by the attacker's server) and instructs the victim to enter it in WhatsApp to "complete verification" or "confirm login."
- Victim Approves Access: Believing it's a routine security step, the victim enters the code. This unknowingly links the attacker's browser as a trusted device.
- Persistent Compromise: The attacker now has real-time access to all messages, media, contacts, and can send/receive as the victim. The session remains active indefinitely until manually removed, and the victim often notices nothing unusual.
Attackers prefer the numeric code method over QR codes because it keeps everything on the victim's phone, making it more seamless and scalable.
Why It's Dangerous
- Bypasses Strong Security: No need for passwords, two-factor codes, or malware—relies purely on user trust and familiarity with verification prompts.
- Self-Propagating: Attackers use hijacked accounts to spam contacts/groups, exploiting real relationships for higher success rates.
- Stealthy: Linked devices aren't prominently notified after initial setup, and attackers can spy or impersonate without locking out the owner.
- Broader Implications: Highlights risks in multi-device features across apps (e.g., similar to past abuses in Signal).
How to Protect Yourself
- Check Linked Devices Regularly:
- Open WhatsApp > Settings > Linked Devices.
- Review active sessions and log out any unfamiliar ones (e.g., unknown browsers or locations).
- Be Suspicious of Unsolicited Links/Prompts:
- Never enter pairing codes or scan QR codes requested via external websites or messages.
- Verify unexpected messages, even from known contacts—ask them directly via another channel.
- Enable Two-Step Verification: Go to Settings > Account > Two-step verification. This adds a PIN but won't fully block GhostPairing (it prevents new registrations, not linked devices).
- General Best Practices:
- Avoid clicking suspicious links.
- Keep WhatsApp updated.
- Educate contacts about the scam to break the chain.
This attack underscores that convenience features like easy device pairing can become vulnerabilities when combined with social engineering. If you suspect compromise, immediately review and revoke linked devices.