Another draw is that the app is built on end-to-end encryption (E2EE) privacy in which the private keys used to secure messages are stored on the device itself. This should make it impossible to eavesdrop on private messages without either having physical access to the device or remotely infecting it with malware.
GhostPairing demonstrates that a social engineering attack can bypass this. Interestingly, although still possible, the attack is less practical when asking users to pair via QR codes. That offers some reassurance for users of messaging apps such as Signal, which only allows pairing requests via QR Codes.
Defending WhatsApp
Users can check which devices are paired via WhatsApp via Settings > Linked Devices. A rogue device link will appear here. Despite having access to a user’s WhatsApp account, the attacker can’t revoke their device access, which must be initiated by the primary device. Another tip is to enable two-step PIN verification. This won’t stop the attacker accessing messages but will mean they can’t change the primary email address.
