GhostPairing: The WhatsApp Takeover CERT-In and MeitY Are Warning About

India’s cybersecurity establishment is flagging a new class of WhatsApp account takeover, one that does not rely on stolen credentials, malware downloads, or SIM swap fraud. Instead, it exploits something far more routine: how users link WhatsApp to additional devices.

The Indian Computer Emergency Response Team (CERT-In), along with the Ministry of Electronics and Information Technology (MeitY), has issued advisories on an active cyber campaign called GhostPairing, warning that attackers are abusing WhatsApp’s device-linking feature to gain full, unauthorized access to user accounts.

What sets GhostPairing apart is not technical sophistication but subtlety. The attack hinges on social engineering and misplaced trust, making it difficult for users and even organizations to detect until damage is already done.

Why Regulators Are Raising the Alarm Now

The warning comes at a time when messaging apps like WhatsApp have evolved beyond personal chat tools. They are now embedded in professional communication, community coordination, and increasingly, financial interactions.

CERT-In rated the GhostPairing campaign as “High” severity, noting that attackers can take over accounts without requiring passwords or SIM swaps. MeitY echoed the concern, stating that offenders are exploiting WhatsApp’s device-linking mechanism to hijack accounts using pairing codes that do not trigger authentication alerts.

This timing is also significant. The advisory follows the Department of Telecommunications’ (DoT) recent directive mandating continuous SIM binding for messaging platforms—a move aimed at curbing fraud driven by account hijacking. GhostPairing exposes a parallel risk: even without SIM compromise, accounts can still be taken over if users are deceived into authorising access.

What Is GhostPairing, Exactly?

GhostPairing is a WhatsApp account takeover technique that misuses the platform’s multi-device capability, which allows users to access their chats on laptops, tablets, or browsers.

“In a nutshell, the GhostPairing attack tricks users into granting an attacker’s browser access as an additional trusted and hidden device by using a pairing code that looks authentic,” CERT-In said.

Once the attacker’s device is linked, it functions like any other legitimate companion device. The victim remains logged in on their phone, often unaware that someone else is simultaneously monitoring conversations.

There is currently no limit on the number of devices that can be linked to a WhatsApp account, which further amplifies the risk.

How the Attack Typically Unfolds

According to CERT-In and MeitY, the GhostPairing campaign follows a predictable but effective pattern that leverages familiarity and urgency.

Victims usually receive a message from a trusted contact saying, “Hi, check this photo.”

The sequence then unfolds as follows:

• The message contains a link with a Facebook-style preview

• The link redirects users to a fake viewer page

• Users are prompted to “verify” by entering their phone number and a code

“By following a short, seemingly harmless sequence of steps, victims unknowingly grant attackers full access to their WhatsApp accounts, without any password theft or SIM swapping,” CERT-In noted.

From that point, the attacker’s device is quietly paired to the account.

What Attackers Can Do After Pairing

Once GhostPairing is successful, threat actors gain access to everything available through WhatsApp Web. This includes:

• Reading past conversations

• Receiving new messages in real time

• Accessing photos, videos, and voice notes

• Sending messages while impersonating the victim

For individuals, this can quickly escalate into financial fraud or reputational damage. For organisations that rely on WhatsApp for internal or customer communication, the implications include data exposure, social engineering at scale, and trust erosion.

A Broader Pattern of Messaging-App Abuse

The GhostPairing advisory aligns with earlier warnings from the Indian Cybercrime Coordination Centre (I4C), which identified a transnational crime trend where scammers used ads on social platforms to trick users into linking their WhatsApp accounts.

What is changing is the technique. Rather than brute-force takeovers, attackers are increasingly exploiting legitimate product workflows and relying on user action to complete the breach.

This shift also explains why the DoT’s SIM-binding directive, while well-intentioned, has drawn criticism. Lawyers and digital rights advocates have raised concerns about privacy, multi-device access, and implementation challenges, particularly for professionals who rely on WhatsApp across multiple endpoints.

GhostPairing underscores that security risks now sit at the intersection of technology design, policy, and human behaviour.

What Users and Organisations Should Do

CERT-In and MeitY have outlined specific mitigation steps to reduce exposure to GhostPairing-style attacks.

For Individual Users

• Avoid clicking on suspicious links, even from known contacts

• Never enter phone numbers or verification codes on external sites

• Regularly review Linked Devices via WhatsApp > Settings > Linked Devices

• Immediately log out of any unrecognized device

For Organisations Using WhatsApp

• Conduct security awareness training focused on messaging-based threats

• Enforce mobile device management (MDM) policies where applicable

• Monitor for phishing and social engineering indicators

• Establish clear protocols for rapid detection and remediation

GhostPairing is a reminder that modern cyber threats do not always break systems; they persuade users. By exploiting trust, routine behavior, and feature familiarity, attackers are finding quieter paths into widely used platforms.

As CERT-In and MeitY’s advisories make clear, protecting messaging accounts now requires more than strong passwords or SIM controls. It demands user awareness, regular hygiene checks, and a more critical approach to seemingly harmless prompts.

In an ecosystem where convenience and connectivity define user experience, GhostPairing shows how easily the balance can tip and why vigilance remains the last line of defense.