Researchers are sounding the alarm: a tool has emerged publicly that allows tracking the activity of WhatsApp users knowing only the phone number. This is not about hacking an account or intercepting correspondence—it is sufficient to “ping” the device and analyze the messenger’s response time. The method is based on the specifics of message delivery protocols. WhatsApp and Signal automatically send service confirmations of data receipt (delivery receipts). These replies are sent even before the application verifies if the message or a reaction to it exists. Consequently, an attacker can measure the round-trip time (RTT)—the duration between sending a query and receiving a reply—and draw quite precise conclusions about the device’s status from these values. The vulnerability has been named Silent Whisper. Scientists from the University of Vienna and the SBA Research center detailed it last year. However, the story has now moved beyond scholarly publications: a researcher under the alias gommzystudio uploaded an illustrative PoC tool to GitHub, demonstrating how simple this works in practice. According to the author, one can send up to 20 “pings” per second without causing the victim any notifications, pop-up windows, or any visible traces within the application interface. Meanwhile, the device actively responds to the requests, and RTT metrics vary depending on the situation. The picture turns out to be quite telling. A brief response time usually indicates the phone is in the user’s hands, the screen is on, and the connection is via Wi-Fi. A slightly higher RTT suggests active use over a mobile network. Significant delays point to standby mode with the screen off, and timeouts mean the device is offline or in airplane mode. If the values are constantly “jumping,” one might assume the person is in motion. Over time, such measurements allow reconstructing a daily schedule: when a person arrives home, when they go to sleep, when they leave the house and use mobile connectivity. And this is no longer just an “online” or “offline” status, but full-fledged behavior profiling. A separate issue is the device load. Frequent queries rapidly drain the battery and consume mobile data. In the researchers’ experiments, both iPhone and Android smartphones lost 14 to 18% of their battery charge per hour. Signal appears slightly better in this scenario: due to a built-in response rate limit, the losses were about 1% per hour. Unfortunately, WhatsApp lacks such protection. Furthermore, RTT analysis allows for a rough determination of the user’s geographical location (e.g., country or region), device type, and even operating system. When using several probing points, the accuracy of such deductions can significantly increase. The tool’s creator himself emphasizes that the project was created solely for research and educational purposes, and reminds about potential legal violations when surveilling individuals without their consent. Nevertheless, the repository has already gathered hundreds of stars and dozens of forks, meaning the tool is accessible to anyone. What can the average user do? At a minimum, enable the setting in WhatsApp to “Block messages from unknown accounts” (Settings → Privacy → Advanced). This might lessen the intensity of such attacks, though it does not completely resolve the issue. Disabling read receipts and activity indicators is also helpful, but it does not save one completely from Silent Whisper. As of December 2025, the vulnerability remains relevant for both WhatsApp and Signal. Experts advise limiting status information in messengers when possible and monitoring for updates—now the ball is clearly in the service developers’ court.
About the Author
