Security researchers at Avast have uncovered a new WhatsApp takeover scam that does not rely on stolen passwords, broken encryption or SIM-swapping. Instead, it tricks users into granting access to their own accounts.
Dubbed “GhostPairing”, the attack abuses WhatsApp’s legitimate device-linking feature. It typically begins with a message that appears to come from a trusted contact, such as “Hey, I found your photo.” When the recipient clicks the link, they are taken to a fake Facebook-style page prompting them to “verify” before viewing the image.
What appears to be a routine security check is actually WhatsApp’s own device-pairing process. By entering a legitimate pairing code, victims unknowingly add the attacker’s browser as a linked device. This gives criminals ongoing access to messages, photos and contacts, without changing the account password or locking the victim out of their phone.
Because the account continues to function normally, many victims are unaware that their conversations are being monitored in real time. The scam is particularly effective because compromised accounts then message friends, family members and group chats, allowing the attack to spread organically through trusted networks.
Avast researchers warn the access gained through GhostPairing enables more serious follow-on fraud, including impersonation, targeted scams and extortion, as attackers can read private messages, voice notes and shared images.
The attack highlights a broader shift in cybercrime tactics. Rather than attempting to defeat security systems, criminals are increasingly persuading users to approve access themselves by exploiting familiar verification prompts and pairing codes that people have been trained to trust.
This is especially concerning in Australia, where recent Avast survey data shows growing anxiety about online scams. Nearly half of Australians (47%) say they are more concerned about scams than a year ago, while 73% worry about their personal information being compromised and 63% fear becoming a victim of cybercrime.
The risk is amplified by the scale of messaging app use. As of early 2025, 97% of Australians are online, almost half of internet users aged 16 and over use WhatsApp, and more than 90% use chat messaging services. Active WhatsApp users open the app close to 200 times per month, creating repeated opportunities for scams like GhostPairing to spread unnoticed through everyday conversations.
Avast said GhostPairing is not just a WhatsApp issue, but a warning sign for any platform that relies on fast, low-visibility approval mechanisms.
Consumers are advised to regularly check WhatsApp’s “Linked Devices” settings and remove any unfamiliar connections, treat any website request to scan a WhatsApp QR code or enter a pairing code as suspicious, and enable two-step verification. Sharing awareness of the scam with family members and group chats can also help stop it spreading further.