Cyber security researchers have uncovered a sophisticated new attack that is hijacking WhatsApp accounts by exploiting user trust rather than breaking encryption. Dubbed 'GhostPairing', the scam gives attackers real-time access to victims' private messages, photos, and videos.
How the 'GhostPairing' Scam Works
The attack begins with a deceptive message that appears to come from a known contact. This message contains a link, often promising a photo of the recipient. Instead of showing an image, the link directs the user to a fake Facebook login page that asks for their phone number.
At this point, the malicious page triggers WhatsApp's legitimate device-pairing feature, generating a QR-like code. The victim is then instructed to enter this code into their WhatsApp app to 'view the photo'. By doing so, they unknowingly authorise a hacker's device to link to their account, bypassing any need for passwords or two-factor authentication.
A Dangerous 'Snowball Effect'
Researchers from the cyber security firm Avast, who discovered the scam, warn that its design creates a dangerous chain reaction. Once a hacker controls one account, they can use it to send the same malicious link to the victim's contacts, spreading the attack rapidly. This 'snowball effect' makes the threat particularly potent.
Luis Corrons, a Security Evangelist at Avast, told The Independent that this marks a shift in cybercrime tactics. "This campaign highlights a growing shift in cybercrime: breaching people's trust is as important as breaching their security systems," he said. "Scams like GhostPairing turn trust into a tool for abuse."
How to Protect Your WhatsApp Account
Avast notes that people may have already fallen victim without realising. WhatsApp users are urged to check their linked devices immediately. This can be done by going to Settings > Linked Devices within the app. Any unfamiliar devices should be removed instantly.
Corrons emphasised that the implications extend beyond a single platform. "This isn’t just a WhatsApp issue," he stated. "It’s a warning sign for any platform that relies on fast, low-visibility device pairing." The discovery, made public on Monday 22 December 2025, underscores the need for heightened vigilance with all authentication prompts.
