OP 13 December, 2025 - 04:50 AM
A tool for tracking over three billion WhatsApp and Signal users has been publicly released. Just by knowing the phone number, attackers can determine when users come home, when they are actively using the phone, when they go to sleep, or when they are offline. They can also drain batteries and data limits without the users noticing anything.
The new user activity tracking method exploits how WhatsApp or Signal messaging protocols work at the fundamental level – it abuses delivery receipts to calculate the signal round-trip time (RTT).
Apparently, anyone can ping your device, the app will respond, and the RTT will vary wildly depending on what the phone is doing and whether it is using WiFi or mobile data.
Security researchers first described this vulnerability, dubbed “Silent Whisper,” in a paper released last year.
“An adversary can craft stealthy messages that enable probing a target at high frequency (up to sub-second granularity) while not causing any notification at the target side and also in the absence of an ongoing conversation,” warned researchers from Gegenhuber et al., University of Vienna & SBA Research
However, now one cybersecurity researcher, operating under the alias “gommzystudio” on GitHub, has released a proof-of-concept tool that demonstrates how easy it is to track sensitive user activity:
https://github.com/gommzystudio/device-activity-tracker
“A phone number can reveal whether a device is active, in standby, or offline (and more),” the developer writes.
Fast ping – you’re browsing at home, slow ping – you’re away
Messenger apps send delivery receipts and read receipts whenever a user gets a message or a reaction to the message. However, to obtain these receipts, attackers do not need to send any actual messages.
Instead, they can “react” to non-existent messages.
“The tracker sends reaction messages to non-existent message IDs, which triggers no notifications at the target,” gommzystudio explains.
![[Image: example.png]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fmedia.cybernews.com%2F2025%2F12%2Fexample.png)
The apps respond before checking if the message/reaction actually exists, because delivery receipts (ACK) are sent automatically to confirm network packet reception at a low level.
“I was able to spam probes at roughly 50ms intervals without the target seeing anything at all – no popup, no notification, no message, nothing visible in the UI,” the researcher further explains on Reddit.
“The device starts draining battery much faster, and mobile data usage shoots up significantly. The victim still can’t detect any of this unless they physically connect the iPhone to a computer and dig through.”
What can an attacker achieve with 20 pings every second, measuring how long it takes for the delivery receipt to come back? It turns out they leak a lot of information:
A low RTT indicates that the device is actively in use, the screen is on, and it is typically connected to WiFi
A bit higher RTT signals that the device is active with the screen on, but on mobile data
High RTT indicates that the screen is off and the device is in standby mode on WiFi
Very high RTT signs standby (screen off) on mobile data, or bad reception
Timeouts and failures indicate that the device is offline or in airplane mode
Highly varying RTT indicates a moving device
“Over time, you can use this to infer behavior: when someone is probably at home (stable Wi-Fi RTT), when they’re likely sleeping (long standby/offline stretches), when they’re out and moving around (mobile data RTT patterns),” the researcher warns.
“Call it tracking, profiling, fingerprinting – whatever. It’s definitely more than “online/offline.”
The repository on GitHub attracted significant attention with over 250 stars already and 36 forks.
While the tool is aimed at research and educational purposes only, anyone can download and use it to track others.
“Never track people without explicit consent – this may violate privacy laws,” the researcher warns. “Use responsibly. This tool demonstrates real security vulnerabilities that affect millions of users.”
Batteries can be depleted in a few hours
The original paper details even more ways attackers can exploit this flaw.
Researchers significantly increased battery drainage for all tested phones. Hackers can drain a battery very quickly simply by knowing the phone number.
Typically, an idle phone consumes less than 1% of its battery per hour. However, during tests with WhatsApp, the iPhone 13 Pro lost 14% per hour, the iPhone 11 lost 18% per hour, and the Samsung Galaxy S23 lost 15% per hour.
Signal app, however, has implemented rate limiting for receipts, which WhatsApp didn’t have. Therefore, it decreased the battery charge by only 1% after an hour of attack.
This malicious activity also drains data allowance, degrades the usability of other bandwidth-intensive applications, such as video calls.
Researchers also detailed that delivery receipts were used to narrow down the user's location (e.g., UAE vs. Germany). Attackers could likely use multiple devices from multiple locations to probe and more accurately determine the target location.
Inconsistencies in RTTs may also indicate what type of device the victim uses, and its OS.
Source:
CyberNews
https://cybernews.com/security/whatsapp-...rain-flaw/
The new user activity tracking method exploits how WhatsApp or Signal messaging protocols work at the fundamental level – it abuses delivery receipts to calculate the signal round-trip time (RTT).
Apparently, anyone can ping your device, the app will respond, and the RTT will vary wildly depending on what the phone is doing and whether it is using WiFi or mobile data.
Security researchers first described this vulnerability, dubbed “Silent Whisper,” in a paper released last year.
“An adversary can craft stealthy messages that enable probing a target at high frequency (up to sub-second granularity) while not causing any notification at the target side and also in the absence of an ongoing conversation,” warned researchers from Gegenhuber et al., University of Vienna & SBA Research
However, now one cybersecurity researcher, operating under the alias “gommzystudio” on GitHub, has released a proof-of-concept tool that demonstrates how easy it is to track sensitive user activity:
https://github.com/gommzystudio/device-activity-tracker
“A phone number can reveal whether a device is active, in standby, or offline (and more),” the developer writes.
Fast ping – you’re browsing at home, slow ping – you’re away
Messenger apps send delivery receipts and read receipts whenever a user gets a message or a reaction to the message. However, to obtain these receipts, attackers do not need to send any actual messages.
Instead, they can “react” to non-existent messages.
“The tracker sends reaction messages to non-existent message IDs, which triggers no notifications at the target,” gommzystudio explains.
The apps respond before checking if the message/reaction actually exists, because delivery receipts (ACK) are sent automatically to confirm network packet reception at a low level.
“I was able to spam probes at roughly 50ms intervals without the target seeing anything at all – no popup, no notification, no message, nothing visible in the UI,” the researcher further explains on Reddit.
“The device starts draining battery much faster, and mobile data usage shoots up significantly. The victim still can’t detect any of this unless they physically connect the iPhone to a computer and dig through.”
What can an attacker achieve with 20 pings every second, measuring how long it takes for the delivery receipt to come back? It turns out they leak a lot of information:
A low RTT indicates that the device is actively in use, the screen is on, and it is typically connected to WiFi
A bit higher RTT signals that the device is active with the screen on, but on mobile data
High RTT indicates that the screen is off and the device is in standby mode on WiFi
Very high RTT signs standby (screen off) on mobile data, or bad reception
Timeouts and failures indicate that the device is offline or in airplane mode
Highly varying RTT indicates a moving device
“Over time, you can use this to infer behavior: when someone is probably at home (stable Wi-Fi RTT), when they’re likely sleeping (long standby/offline stretches), when they’re out and moving around (mobile data RTT patterns),” the researcher warns.
“Call it tracking, profiling, fingerprinting – whatever. It’s definitely more than “online/offline.”
The repository on GitHub attracted significant attention with over 250 stars already and 36 forks.
While the tool is aimed at research and educational purposes only, anyone can download and use it to track others.
“Never track people without explicit consent – this may violate privacy laws,” the researcher warns. “Use responsibly. This tool demonstrates real security vulnerabilities that affect millions of users.”
Batteries can be depleted in a few hours
The original paper details even more ways attackers can exploit this flaw.
Researchers significantly increased battery drainage for all tested phones. Hackers can drain a battery very quickly simply by knowing the phone number.
Typically, an idle phone consumes less than 1% of its battery per hour. However, during tests with WhatsApp, the iPhone 13 Pro lost 14% per hour, the iPhone 11 lost 18% per hour, and the Samsung Galaxy S23 lost 15% per hour.
Signal app, however, has implemented rate limiting for receipts, which WhatsApp didn’t have. Therefore, it decreased the battery charge by only 1% after an hour of attack.
This malicious activity also drains data allowance, degrades the usability of other bandwidth-intensive applications, such as video calls.
Researchers also detailed that delivery receipts were used to narrow down the user's location (e.g., UAE vs. Germany). Attackers could likely use multiple devices from multiple locations to probe and more accurately determine the target location.
Inconsistencies in RTTs may also indicate what type of device the victim uses, and its OS.
Source:
CyberNews
https://cybernews.com/security/whatsapp-...rain-flaw/