A cybersecurity researcher has publicly released a proof-of-concept tool that exposes a fundamental vulnerability in WhatsApp and Signal, enabling silent tracking of over 3 billion users worldwide—simply by knowing their phone number.
The tracking tool, released by security researcher on GitHub, demonstrates how attackers can exploit delivery receipts (automated confirmations that messages reached their destination) to monitor user behavior without triggering any visible notifications.
This "Silent Whisper" vulnerability, first documented by University of Vienna researchers in 2024, remains unpatched despite both Meta and Signal being notified over a year ago.
How the Attack Works
The exploit abuses a core messaging protocol feature: delivery receipts are sent automatically before apps verify whether messages actually exist. Attackers can send reactions to non-existent messages at intervals as short as 50 milliseconds, creating an invisible ping system that measures round-trip time (RTT)—how long responses take to return.
These RTT measurements reveal surprisingly detailed information about user activity. Low RTTs indicate active device use on WiFi, slightly higher values suggest mobile data usage, high RTTs signal standby mode, and timeouts indicate the device is offline or in airplane mode. Highly varying RTTs can even indicate a moving device.
"Over time, you can use this to infer behavior: when someone is probably at home (stable Wi-Fi RTT), when they're likely sleeping (long standby/offline stretches), when they're out and moving around," the researcher explained on Reddit.
Beyond Tracking: Resource Exhaustion
The vulnerability extends beyond privacy invasion. During testing, researchers achieved battery drainage rates of 14-18% per hour on iPhones and 15% on Samsung devices—compared to typical idle consumption of less than 1% per hour. Attackers can also consume up to 13.3 GB of data per hour by sending oversized reaction payloads, potentially exhausting victims' data allowances without their knowledge.
The original University of Vienna research demonstrated that attackers could track users across multiple devices, determine when they arrive at work or home, infer sleep schedules, and even detect when specific apps are in use—all while remaining completely invisible to victims.
Protection Measures
WhatsApp users can enable some protection by navigating to Settings → Privacy → Advanced and enabling "Block unknown account messages," though this doesn't provide complete protection. Both WhatsApp and Signal users should disable read receipts, "Last Seen," and "Online" status indicators in privacy settings.
However, as of December 2025, the vulnerability remains fully exploitable in both platforms. The fundamental issue lies in how these apps handle delivery receipts at the protocol level—a design choice that prioritizes user experience over privacy but cannot be disabled by users.