SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
WhatsApp GhostPairing attack gives intruders access

WhatsApp GhostPairing attack gives intruders access

Thu, 16th Jul 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

Gen has identified a WhatsApp attack tactic called GhostPairing that can give intruders ongoing access to an account, according to its H1 2026 Threat Report.

The tactic relies on a user approving what appears to be a normal linked-device request, allowing an attacker to remain in the account without a password. Access can continue without a login alert, leaving messages, voice notes and contact patterns exposed.

Gen described GhostPairing as part of a broader shift in cybercrime, with attackers moving away from one-off theft toward methods that preserve access over time. Researchers said the same pattern is appearing elsewhere, including browser session theft and the misuse of AI agents that already hold user permissions.

That trend is central to the report's wider findings on scams, privacy breaches and identity risks. Attackers are increasingly operating through familiar systems and routine digital interactions rather than relying mainly on malware or direct technical compromise.

"The most effective attacks in the first half of 2026 didn't look like attacks," said Vita Santrucek, Chief Technology and Development Officer at Gen.

"They arrived through booking platforms, family message threads, software update channels and AI agent workflows - all places people already trust. As attackers blend into everyday digital experiences, protection has to move closer to the moments where confidence is earned, exploited or broken."

Wider patterns

Beyond messaging services, the report pointed to a rise in methods that exploit trust in institutions, consumer platforms and personal relationships. Gen said it blocked 114.2 million e-shop scam attacks in the half year, up 109%, while government impersonation scams rose 387%.

Family impersonation scams increased by more than 454%, highlighting attacks that depend on familiarity rather than technical sophistication. Gen also reported blocking 20.3 million tech support scam attacks, showing that attempts to persuade people to hand over remote access remain common.

Advertising and online shopping channels also featured heavily in the data. More than 304 million scam-ad impressions were identified across the EU and UK in less than one month, while 1 million web-skimming attacks were blocked, up 212%.

Those skimming attacks targeted online checkout pages where consumers already expect to enter card details, making fraudulent activity harder to distinguish from legitimate digital behaviour, the report said.

Privacy pressure

Tracking and data exposure formed another major theme. Gen said it blocked roughly 1.9 billion tracking attempts during the half year, or about 317 million a month, reflecting what researchers described as sustained pressure on consumer privacy.

Breach notification alerts with attributed leak sources rose 628.1% to 3.3 million, while total breach notifications exceeded 10 million. More than 15.7 million breached records containing email addresses were identified, giving criminals more scope for phishing, scams and account takeover.

Bank account activity alerts increased 734%, according to the report. Gen said the rise reflected broader monitoring coverage as well as a sharp increase in flagged financial activity.

AI concerns

The report also highlighted agentic AI as an emerging security issue. As AI systems gain permission to browse, install software, access files and connect to services on behalf of users, researchers said attackers are beginning to target the authority those systems hold.

Early telemetry from Sage, the company's agentic security platform, found that the most common high-risk AI agent behaviour included attempts to run dangerous system commands, open a remote command channel, download and execute code from the internet, read credential files without authorisation, create persistent remote access and override an agent's instructions.

That focus on permissions links the AI findings to GhostPairing and other threats in the report. In each case, the attack depends not on breaking in through a traditional exploit, but on retaining or abusing access that appears legitimate inside a trusted environment.

Across the first half of the year, many successful attacks were difficult to distinguish from ordinary digital activity, Gen said. The report found that scams were delivered through hotel booking systems tied to real reservations, financial fraud moved through verified accounts, and account access was obtained through routine approval flows inside established platforms.

The shift means users and security providers may need to pay closer attention to linked devices, active sessions, delegated permissions and other persistent forms of access that can remain in place long after they are granted.