Security researchers have disclosed a new tracking technique that can be used to monitor activity patterns of WhatsApp and Signal users by exploiting how the apps handle message delivery acknowledgments.
The issue was recently highlighted by researchers at Cybernews, following the public release of a proof-of-concept tracking tool.
The technique allows an attacker to infer when a phone is active, idle, offline or moving, using nothing more than a target’s phone number. In addition to privacy concerns, the method can significantly drain battery life and mobile data without alerting the user.
How the Tracking Works
The attack abuses delivery receipts built into modern messaging protocols. When WhatsApp or Signal receives a message or reaction, the app sends a low-level acknowledgment back to the sender to confirm receipt of the network packet.
Instead of sending real messages, attackers can send reactions tied to non-existent message IDs. Because the apps respond before validating whether the message exists, no notification appears on the target device.
By measuring how long it takes for these acknowledgments to return — known as round-trip time (RTT) — attackers can infer the phone’s current state. Differences in RTT reveal whether the device is on Wi-Fi or mobile data, whether the screen is on or off, and whether the device is stationary or moving.
This behavior was first documented in an academic research paper published by researchers from the University of Vienna and SBA Research, who described the attack technique under the name “Silent Whisper.”
What Attackers Can Learn
According to the researchers, sustained probing can reveal detailed behavioral patterns over time. Stable, low RTT values often indicate a device being used at home on Wi-Fi, while higher or fluctuating RTT values may indicate movement or mobile network use. Extended periods of high latency or timeouts can suggest the user is sleeping, offline, or in airplane mode.
The technique goes well beyond simple “online” or “offline” indicators and can be used for behavioral profiling when conducted continuously.
Interest in the issue increased after a cybersecurity researcher using the alias “gommzystudio” published a proof-of-concept tracking tool on GitHub. The tool demonstrates how easily the attack can be automated and scaled, allowing probes to be sent as frequently as every 50 milliseconds without user awareness.
The researcher notes that high-frequency probing can rapidly drain battery life and increase mobile data usage, particularly on WhatsApp. In testing referenced by the original research, some smartphones lost more than 15% of battery charge per hour under sustained probing.
Signal appears to be less affected due to receipt rate limiting, which significantly reduces battery drain compared to WhatsApp.
Beyond surveillance concerns, the attack can degrade device performance. Continuous receipt handling increases power consumption and data usage, potentially exhausting batteries within hours. Researchers also found that RTT measurements could be used to roughly infer geographic location and, in some cases, distinguish between device types and operating systems.
Researchers report that the issue remains exploitable on both WhatsApp and Signal, though mitigation efforts differ between the two platforms.
What Users Can Do
WhatsApp users can reduce exposure by enabling the option to “Block unknown account messages” in the app’s privacy settings.
While this may limit large-scale probing from unknown numbers, it doesn’t entirely prevent the attack. Disabling read receipts and activity indicators can reduce some metadata leakage but does not completely mitigate this technique.
Signal allows users to disable receipts and typing indicators and already enforces stricter rate limiting, which limits the effectiveness of large-scale probing.
While message contents can be encrypted, the research shows that protocol-level behavior alone can reveal patterns about device usage, movement, and availability, raising broader questions about how much metadata modern messaging platforms unintentionally expose.
Leave a Reply