Billions of WhatsApp Users Exposed to Silent Phone Tracking Risk

A newly released research tool has highlighted a serious privacy risk affecting WhatsApp and Signal users worldwide. By knowing only a person’s phone number, attackers can quietly monitor phone activity without sending visible messages or alerts.

The issue potentially affects more than three billion users and is almost impossible to detect during everyday use.

Unlike traditional hacks, this technique does not rely on malware or breaking into accounts. Instead, it takes advantage of how messaging apps communicate in the background. Because nothing unusual appears on screen, victims may never realize their phone is being monitored.

How the tracking works

The vulnerability, known as Silent Whisper, abuses automatic delivery confirmations that messaging apps send whenever they process network traffic. These confirmations happen at a very low level and are designed to ensure messages move smoothly across the network. Importantly, they occur even if no actual message is delivered to the user.

Attackers can trigger these confirmations repeatedly and measure how long it takes for the response to come back.

These tiny timing differences change depending on whether the phone is active, idle, offline, connected to Wi-Fi, or using mobile data. No message notifications are shown, and no conversation needs to exist.

By sending probes as often as dozens of times per second, attackers can collect enough information to understand how a device is being used.

Stable, fast responses often suggest the phone is in use at home, while slower or inconsistent responses can indicate movement, travel, or poor reception.

Fig 1. The UI of the WhatsApp Tracker app. (Source: Cybernews)

What attackers can learn

Over time, this method allows someone to build a detailed profile of a person’s routine. Patterns may reveal when someone wakes up, goes to sleep, leaves home, or returns.

Long gaps can indicate airplane mode or a powered-off device, while fluctuating responses may suggest commuting or travel.

Although no messages, photos, or contacts are accessed, this kind of behavioral tracking is still highly invasive. Knowing when someone is home or away could be useful for stalking, harassment, or even physical crimes. The fact that only a phone number is required lowers the barrier for abuse.

Researchers also found that this technique can be used to roughly infer location and device type. By probing from different regions or networks, attackers may narrow down where a person is located and whether they are using a specific phone or operating system.

Battery drain and limited protections

Beyond privacy concerns, the attack can noticeably affect phone performance. Continuous probing increases battery usage and mobile data consumption.

Tests showed some phones losing over 10% of battery per hour, while data usage rose enough to interfere with video calls and other data-heavy apps.

Defending against this threat is difficult. Disabling read receipts and online status indicators helps reduce general visibility but does not fully block this technique.

WhatsApp offers a setting to block high volumes of messages from unknown accounts, which may slow attackers, but limits are unclear.

As of now, the vulnerability remains exploitable leaving users dependent on app developers to address the underlying issue.