“CERT-In’s new WhatsApp warning: it’s a good reminder that even “everyday” applications can be the entry point for severe cyber attacks—not necessarily due to the WhatsApp encryption being broken, but due to the attackers learning to misuse normal functions and the human trust in them.”

In December 2025, CERT-In released the following warning regarding a “Ghost Pairing” attack named CIAD-2025-0055 on December 19, 2025:
CERT-In
“What’s going on,” according to the advisory (and the reporting that has ensued), is that an attack has been discovered in which bad actors are abusing the device-linking / multi-device functionality on WhatsApp in order to attain “full” access to a victim’s WhatsApp, all without requiring any SIM swaps or the victim’s passwords, by tricking victims into entering or approving their pairing code (or following the link flow).

This is a detailed explanation of what it is, how it works, why it’s important, and exactly how you can protect yourself (or your family/office groups):

1) What CERT-In is warning about (simple language)
The core concept
‘Ghost Pairing’ basically translates to an account hijack on WhatsApp through device pairing. WhatsApp provides the convenience of accessing the same account on many devices (e.g., WhatsApp on a smartphone and WhatsApp Web/Desktop). However, such convenience poses a new risk to the account security of the targeted person, such that if the hacker succeeds in pairing his device to the account, he will be able to read the chat messages in real time, in some cases even sending the messages.

Why this is scary
The arrival of
What most people think:
“If my SIM is safe, I do not share my OTP, my WhatsApp is safe.”
GhostPairing turns this paradigm on its head because it zeroes in on a different security route, which is connecting a device, usually orchestrated by social engineering tactics (aka deceiving you), rather than hacking.
By CERT-In’s

The severity level categorized by CERT-In in this campaign is High.

2) How WhatsApp device linking typically works (to make the attack scenario plausible)

The multi-device functionality in WhatsApp is intended so that you are able to use WhatsApp on other devices:

WhatsApp Web/Desktop: Access web.whatsapp.com on the computer and use the QR code on the phone to establish the connection.

Link device with phone number (in certain flows/regions, and dynamic UI):
Linking might require you to enter your phone number and undergo verification steps.

Once connected, your phone will remain your “primary,” while your connected device will be able to view your messages, and most will show up in real-time.

Additionally, WhatsApp gives you a spot in Settings where you can view and control connected devices, and you can sign out if you’re not familiar with the session.

The security assumption violated is: you are the only one who approves a new device link. GhostPairing Spoofing you into doing the approval, or entering a pairing code which accomplishes the same goal.

3) What “Ghost Pairing” looks like in the real world

Based on the CERT-In awareness and in-depth research on security write-ups on the malicious activity, it appears that the malware typically begins in the following manner

Step 1: This looks like an innocent message (often from someone you know)
The message terrorizing the victim reads;
“Hi, check this photo”
“I found your picture”

“Is this you in this video?”

Occasionally, the message message will seem like it is from a trusted source because one account might be compromised before the lure is then distributed among that user’s list of friends, all “worm-like.”

Step 2: A link with a persuasive preview

The link often has a Facebook-like preview (or so) which looks authentic and tappable.

Step 3: A dummy page that forces you to move towards “verification”/“pairing”

Clicking may lead to a mock viewer registration page prompting “verify to view content,” and then to a process that ultimately leads to:

entering a telephone number, and/or

inputting a pairing code, and/or

approving a device link

The intention of the user is to “unlock a photo,” whereas they will end up connecting the attacker’s device to their WhatsApp account.

Step 4: The attacker becomes a “linked device” (frequently quietly)
After being connected, the attacker can:

access chats (groups included),

reading messages as they come in,

possibly download media,

impersonate the victim to scam other people,
|&#x

Monitoring sensitive business/community talks (particularly hazardous in office spaces).

The Times of India That’s why an attack can be so nasty – it can spread from an individual to their social circle and even to professional communities where financial data may be shared.
4) Is it a WhatsApp ‘bug’ or ‘scam’?
“This is an important nuance.

“In most instances, it would appear that GhostPairing’s functionality is better described as an exploitation of a beneficial functionality”: This

Instead of “breaking encryption,” they exploit:
human behavior (curiosity and urgency),

trust in known contacts, and

the complexity of flows in linking, whereby the users may not be able to understand what they are approving of.

It has been described as account takeover attack, specifically targeting the pairing process.

But there are real software bugs in WhatsApp.

In addition to Ghost Pairing, other documented WhatsApp vulnerabilities include CVE-2025-30401 (a spoofing vulnerability existed in WhatsApp for Windows before version 2.2450.6 that could result in arbitrary code execution upon opening an attachment).

Thus, “WhatsApp security issue” may have two different meanings:

Campaign/Scam that exploits the normal functionality (GhostPairing),

Software vulnerable to patching, such as CVE alerts.

“The message to users from all this is the same: update + verify + don’t approve unknown actions.”
However, there’s a twist. It

5) Who is most at risk?

GhostPairing can target anyone, but there are people who attract it more:

1) People in many WhatsApp groups

The number of groups = Scam reach x Value of conversation.

2) Owners & admins of small businesses

Payments, invoices, customer lists, supplier conversations—WhatsApp might serve as an informal “business inbox.”

3) People who use WhatsApp Web frequently

A greater familiarity with linking prompts decreases the level of circumspection (“Oh yeah, that’s normal”), which attackers exploit.

4) Users who don’t regularly check Linked Devices

If you do not review your sessions, you can extend the time an attacker is connected.

5) Families where there is sharing or loose coupling of the phone

Unlocked phones facilitate it for another person in the locality to quickly establish a link.

6) What attackers can do after takeover (the real-world damage)

After compromising their device, they can cause damage in several layers:

A) Harm to the right

Viewing personal messages, images, and documents

Learn addresses and times shared via chat

Recycle messages for Social Engineering through Blackmail

C ) Homicide

A very common pattern:

Attacker pretends to be

Messages your closest contacts

Requests for urgent money donations: ‘UPI karo, urgent’

Since it comes from your own WhatsApp, it comes with authenticity.

C. Long-term identity abuse

Attackers can:

Profile Pic/Name: Can be changed to better suit you.

can run scams for days before being detected,

use your account to victimize others (“Check this photo”).

D) Workplace and community compromise

Office groups: a goldmine:

internal plans

sensitive discussions

shared credentials (alas, all too

Vendor Contacts

This is precisely the area where enterprise-level security professionals are now treating messaging apps as part of attack surfaces.
7) How to protect yourself (best practical steps)

Here is a list of high-impact actions that you should undertake.

Step 1: Take a look at your Linked Devices at this very moment

On WhatsApp (Android/iPhone

Settings → Linked Devices

Review every session

If anything looks unfamiliar:
Log out immediately

This is one of the most blatant defense tactics because the defense of GhostPairing involves sneaking in the associated device.

Step 2 : Enable WhatsApp Two-step verification (2FA)

Enable in-app two-step verification for WhatsApp using a PIN and email. This introduces additional hurdles in the process of takeover and using an existing user’s accounts.

Step 3: Check updates regularly on WhatsApp (and on WhatsApp Desktop, if

Although Ghost Pairing is mainly social engineering, being up to date will also protect you against actual software bugs in, say, Windows client software, as shown in their advisories on WhatsApp.

Step 4: Be cautious about “photo/video” links even from friends
deoecta

“Look at this photo” + link:
(If someone sends “Look at this photo”

Do Not Click Immediately

Then ask them in a follow-up message: “Did you send this link?”

If their account gets hacked, they might not even realize it.

Step 5: Never enter pairing codes on random pages
With your device ready and your

A safe rule:

It is only when you initiated yourself the act of ‘pair/link’ within the WhatsApp settings on your phone.

Step 6: Secure Your Phone Properly
Anderson cites

Use:

strong PIN/bi

auto-lock fast (30 sec/ 1 min),

don’t share unlock code.

Step 7: Add a ‘family safe word’ for money requests

“Family safe words’

A simple rule related to close members or

Any urgent financial request must contain a predetermined “safe word” or can be confirmed by a call.

This itself eliminates a huge percentage of WhatsApp scams.

8) If you believe you have already been compromised: Actions to take right away

These are to be done in the following

Go to your WhatsApp by opening the application → Click on Linked Devices → Log out of all devices which you don’t recognize.

Turn on Two-step verification (if not enabled).

“My WhatsApp may be hacked; ignore money link requests.” Share with your close contacts.

Look for other compromised accounts: email, Instagram, Facebook— attackers often chain attacks.

Summary:

If there has been fraud related to money, report it through the India cybercrime reporting channels/helpline. If there has been fraud related

(If you want, let me know if you are on Android or iPhone, and if you use WhatsApp Web, then I can give you a tighter, step-by-step device-specific checklist.)

9) Why this matters for “current tech conversations”

The fact that a notice from CERT-In onWhatsApp is going viral reveals a major reason why their warning is trending.

“Security risk is no longer ‘only for hackers and companies’”

Security risk isn’t what

A normal user can be considered a target simply because:

they have a phone number.

they have contacts,

they are in groups,

and they believe in a message that seems to be very familiar. Increasingly, attackers turn to a “low-tech” approach that scales Rather than locating a zero day exploit, which would be difficult, the attackers: exploit linking features (easy),

1. use dummy pages (easy), using psychology (extremely effective), and spread through social graphs (scales fast). “Messaging applications are the new identity layer”: This is the headline of In the Indian context, WhatsApp frequently behaves like: an address book, a business tool, a community platform, a payment coordination channel. Thus, having control over a WhatsApp account is no less than having control over a person’s social identity. 10) The big takeaway (one sentence) Reminder that the best encryption can be overcome by tricking users into giving access, so best defense is settings hygiene (Linked Devices+2FA) combined with a healthy dose of link skepticism
   The final tool introduced in this section is called “Ghost Pairings.” This is a very important tool, as it not only shows the user what their settings