The Indian government has issued a critical warning against WhatsApp. The government's Indian Computer Emergency Response Team (CERT-In) has issued a critical advisory alerting WhatsApp users to an ongoing
account hijacking campaign known as 'GhostPairing. The campaign exploits WhatsApp's device-linking feature to allow cybercriminals to gain silent, full control of victims' accounts without passwords, OTPs, or SIM changes.
What is the WhatsApp 'GhostPairing' exploit?
GhostPairing is a sophisticated social engineering attack that abuses WhatsApp's legitimate multi-device linking functionality. Malicious actors trick users into unknowingly pairing an attacker's device (often a browser session) as a 'hidden' linked device, granting it privileges similar to WhatsApp Web.
According to CERT-In, "malicious actors are exploiting WhatsApp's device-linking feature to hijack accounts using pairing codes without authentication requirement." This results in attackers gaining persistent access while the victim's primary phone continues to function normally, with no obvious alerts or forced logouts.
How the WhatsApp attack works
The campaign typically starts with a deceptive message from a seemingly trusted contact (often a compromised account), such as "Hi, check this photo," accompanied by a link featuring a convincing Facebook-style media preview.
- Clicking the link redirects the user to a fake webpage mimicking a Facebook or media viewer.
- The page prompts the victim to 'verify' their identity by entering their phone number.
- Behind the scenes, the attacker uses this phone number to initiate a device-pairing request.
- The victim then receives a legitimate WhatsApp pairing code prompt on their phone.
- The fake site instructs the user to enter this code to 'continue viewing' the content, unknowingly completing the pairing for the attacker's device.
In some variants, the fake page displays a real-time QR code for the victim to scan. Once paired, the attacker's device syncs silently in the background.
The campaign was first observed in the Czech Republic but is now spreading globally, including to Indian users, with compromised accounts used to target further victims.
What does teh hacker gain access to?
Successful GhostPairing grants attackers extensive access, including:
- Reading all existing and new incoming messages in real-time.
- Viewing and downloading photos, videos, voice notes, and other media.
- Sending messages to the victim's contacts and groups, impersonating the user.
- Operating undetected for prolonged periods, as the linked device remains hidden unless manually checked.
This can lead to privacy breaches, financial scams, misinformation spread, or chain attacks on the victim's network.
How to protect yourself
CERT-In strongly advises users to follow these preventive measures:
- Avoid suspicious links: Do not click on unexpected links or media previews, even from known contacts, as accounts may be compromised.
- Never share phone numbers or codes externally: Refuse to enter your phone number or any WhatsApp verification/pairing codes on third-party websites.
- Regularly check linked devices: Go to WhatsApp Settings > Linked Devices and log out any unfamiliar or unknown sessions immediately.
- Enable two-step verification: In WhatsApp Settings > Account > Two-step verification, set up a PIN for added security.
- Keep the app updated: Always install the latest official WhatsApp updates from trusted sources.
- Report incidents promptly: If you suspect compromise, contact local cybercrime authorities, report via cybercrime.gov.in, and notify WhatsApp support.
WhatsApp has not yet released an official statement addressing this specific campaign.
