FutureFive New Zealand - Consumer technology news & reviews from the future
New Zealand

Guides

#
cartech
#
crypto
#
drones
#
gaming
#
smartphones

Search

Moody whatsapp spy ghost hand reaching from linked laptop dark
#
Data Protection
#
Surveillance
#
Encryption

‘GhostPairing’ scam turns WhatsApp linking into spy tool

Thu, 18th Dec 2025
Author image
By Melania Watson, Interview Editor

Cyber security researchers at Gen have identified a new WhatsApp account takeover technique that exploits the platform's own device-linking feature and relies on user approval rather than stolen passwords or SIM swaps.

The campaign, which researchers call a "GhostPairing" attack, persuades victims to link an attacker's browser as an additional WhatsApp device.

The attackers then gain ongoing access to chats, media and contacts while the legitimate user continues to use the app as normal.

The activity first appeared in Czechia but researchers say the method does not depend on language and can be adapted for any market by changing the lure text.

Deceptive lure

The attack begins with a short WhatsApp message that appears to come from a known contact. The typical wording is along the lines of "Hey, I just found your photo!" and includes a link that renders with a Facebook-style preview inside WhatsApp.

When the recipient taps the link, they land on a stripped-down page that uses Facebook branding and colours and presents a button inviting them to "continue" or "verify" before viewing the supposed photo. The page does not connect to Facebook. It acts as a control panel for the attacker and mediates between the victim and the legitimate WhatsApp Web infrastructure.

Depending on the variant, the next screen either displays a QR code with instructions to scan it using WhatsApp, or shows a numeric code and tells the user to enter it in the app to confirm a login.

Both routes use WhatsApp's normal device-linking flows. The result is that the attacker's browser is added as a linked device on the victim's account.

Abusing pairing flows

WhatsApp allows users to link additional devices through WhatsApp Web or the desktop client. Users can scan a QR code displayed on a computer screen, or link via phone number and a numeric pairing code that must be confirmed in the app.

Gen's analysis indicates that the GhostPairing operators favour the numeric code route. The QR option is technically feasible but is less practical in mass scams because many users run WhatsApp and their browser on the same phone, which makes scanning a code displayed on the same device difficult.

In the numeric variant, the fake Facebook-style page asks the user to enter their phone number. The page forwards that number to WhatsApp's legitimate "link device via phone number" endpoint. WhatsApp generates a pairing code that is intended only for the account owner.

The attacker's site takes that legitimate code and displays it back to the victim alongside text that suggests they should enter it into WhatsApp to complete a verification and see the photo. The user then opens WhatsApp, sees the pairing prompt, and types in the code.

From WhatsApp's perspective, the account owner has just confirmed a new linked device using the correct code. From the victim's perspective, the interaction resembles a routine security check similar to two-factor authentication flows on other services.

Stealthy access

Once linked, the attacker's browser session has the same functions as any normal WhatsApp Web connection. The operator can view synced historical conversations, receive new messages, and download photos, videos and voice notes.

Attackers can also send messages and forward the same lure across individual chats and group conversations while appearing as the victim. This enables rapid propagation through family groups, school chats, sports teams and work discussions.

The original device remains active and continues to send and receive messages. Many users may not notice that an extra browser session has been added in the Linked Devices section. The access can remain active until the user manually reviews and removes unknown sessions.

In the cases examined by Gen, automated restrictions did not always terminate the linked session. The researchers say that, without manual intervention from the victim, attackers can retain long-term access.

Kit-style operation

The domains used in the campaign imitate Facebook-related themes and focus on photos and posts, using names such as "photobox.life", "yourphoto.life" and "photopost.live". Paths often include strings like "/login/post.com" or "/login/facepost.com" to sustain the illusion of a social media viewer.

Researchers observed the same layout and Facebook-style viewer across multiple domains. They say this points to a reusable kit that different attackers can deploy rather than a single bespoke operation. If one domain is blocked, operators can switch traffic to a fresh domain with minimal changes.

The approach relies heavily on social engineering and on the trust that users place in familiar contacts and brands. It does not rely on password theft or interception of SMS codes. It stays within the normal functions of WhatsApp's device-linking system.

User responses

Gen's researchers recommend that individuals regularly review the list of devices linked to their WhatsApp account. Users can check this by opening WhatsApp, going to Settings, selecting Linked Devices, and logging out of any session they do not recognise.

They also suggest that users treat requests from websites that ask them to scan WhatsApp QR codes or enter WhatsApp numeric codes with suspicion. In normal use, device linking should begin inside WhatsApp as a deliberate action by the user rather than as a step requested by an external page.

The researchers say that enabling WhatsApp's Two Step Verification feature adds another barrier against some forms of abuse, although it does not address the GhostPairing technique directly. They also note that sharing warnings about the lure among friends and family can reduce the pool of likely victims.

Wider implications

The team argues that the pattern behind GhostPairing has relevance beyond WhatsApp. Many services now support pairing or approval-based login flows that link an additional device or browser to an existing account using QR codes, numeric codes or "approve on your phone" prompts.

Those designs often create long-lived sessions that remain active in the background and may have low visibility in user interfaces. This can give attackers a chance to establish a so-called ghost device if they control the prompt and persuade the user to complete the process.

Gen suggests that platforms could introduce clearer warnings and stronger context around device-linking events, such as surfacing device type, location and origin of the request, and could explore rate limits and automatic revocation tied to abuse signals.

"The more our digital lives depend on quick QR scans and 'approve on your phone' flows, the more important it becomes to design these steps so that a single moment of inattention does not quietly create a ghost device that lives in the background for months," said Corrons, Security Evangelist, Gen.
Related stories
Snap launches digital safety course for teenagers, parents
AMD expands Ryzen AI chips, mini-PC & gaming CPU push
myFirst expands kid-safe tech ecosystem with Circle app
Avast launches Deepfake Guard & expands Scam Guardian
Australian couples who play games together feel closer

Top stories

Hands-on review: Avast Deepfake Guard and Scam Guardian
Hands-on review: Corsair Galleon 100 SD Stream Deck Integrated Mechanical Keyboard
Shark Beauty’s LED CryoGlow mask set for ANZ launch
Fantasy dairy league turns real New Zealand cows into stars
Game review: Ride 6 (Xbox Series X)