GhostPairing: CERT-In Issues Security Advisory

India’s cybersecurity agency CERT-In has warned users about a new malicious WhatsApp account-takeover campaign known as “GhostPairing”. The attack exploits WhatsApp’s device-linking feature, allowing threat actors to gain full access to a victim’s chats and account functions through WhatsApp Web–like companion devices.

How the GhostPairing Attack Works

• Attack begins with a message from a trusted contact saying:  “Hi, check this photo.”
• The user is tricked into scanning or entering a device-linking code.
• Once linked, attackers gain persistent remote access to the victim’s WhatsApp account.

What Attackers Can Do After Linking

• Read all chats & messages (including real-time incoming messages)
• Access photos, videos, voice notes
• Impersonate the victim & send messages to individuals and groups
• Continue activity without the victim noticing immediately

Why Attack Is Dangerous

GhostPairing exploits multi-device login behaviour– once paired, the attacker’s device operates like an authorized WhatsApp Web session, without requiring SIM presence on that device.

CERT-In Advisory- Key Points

• Alert issued after rising incidents of WhatsApp account hijacking via linked-device abuse.
• Advisory follows DoT’s move to mandate continuous SIM-binding for messaging apps.

DoT SIM-Binding Directive- Context

• Messaging apps like WhatsApp, Signal, Telegram will require that accounts:
  • Stay accessible only on devices containing the active SIM linked to the account.
• Companion devices (e.g., WhatsApp Web):
  • Will be logged out every 6 hours
  • Users must re-link via QR code

Objective

• To curb digital fraud & impersonation scams involving hijacked messaging accounts.

Concerns & Criticism

• Lawyers & digital-rights groups warn:
  • Possible privacy risks
  • Reduced usability across multiple devices & work environments
• Cybersecurity experts highlight:
  • Implementation hurdles and technical challenges

Related Incident: I4C Findings (October 2025)

• The Indian Cybercrime Coordination Centre (I4C) identified a transnational scam trend where:
  • Fraudsters used Facebook & Instagram ads to trick users into linking WhatsApp accounts to attacker-controlled portals.