The world of encrypted messaging apps has just taken a significant hit. A newly revealed WhatsApp Signal privacy vulnerability shows that even the most secure communication platforms can leak sensitive information without users realizing it. Dubbed "Careless Whisper" by researchers, this design-level protocol issue allows silent profiling of user activity without triggering a single notification or breaking end-to-end encryption.

What's Behind the Silent Tracking Attack?

The vulnerability exploits metadata flowing beneath encrypted conversations. By sending invisible reactions to non-existent messages and measuring how quickly delivery receipts return, attackers can build detailed activity profiles of users. This attack operates entirely in the background, making it undetectable without forensic examination or unusual battery consumption.

How Does It Work?

Attackers send high-frequency message reactions to invalid message IDs. These reactions never appear in your chat history, yet WhatsApp and Signal still issue delivery receipts in response. By measuring the round-trip time of these acknowledgements, attackers infer your device state: whether your screen is active, whether you're connected to Wi-Fi or mobile data, or if you're completely offline.

The Implications Are Alarming

The brutal reality is that a public proof-of-concept tool called Device Activity Tracker has weaponized this academic research. Released on GitHub by developer gommzystudio, the tool requires nothing more than a target's phone number. No prior contact relationship needed. No conversation history required. This attack works against all WhatsApp and Signal users with discoverable numbers.

How Deep Can This Activity Fingerprinting Go?

Testing has documented disturbingly intimate behavioural profiling capabilities. Probing at intervals as frequent as 50 milliseconds, attackers can discern:

  • Sleep and wake patterns based on device responsiveness cycles
  • Active phone usage versus locked screen states
  • Network transitions between Wi-Fi and cellular connections
  • When linked devices like desktop clients come online
  • Approximate geographic location through network latency correlation

The Resource Exhaustion Problem Nobody's Discussing

High-frequency probing doesn't come without cost to victims. Documented testing shows battery drain rates exceeding 14% per hour on phones subjected to constant surveillance probing. Mobile data consumption spikes alongside battery depletion, creating potential financial impact for users with capped data plans.

Why Platform Fixes Remain Incomplete

Both Meta (WhatsApp) and the Signal Foundation have known about this WhatsApp Signal privacy vulnerability since late 2024, yet neither has implemented complete protocol-level remediation. Signal deployed stricter rate limiting in their December 2026 update, providing partial protection but not eliminating the attack vector entirely. WhatsApp imposes no meaningful rate limits on delivery receipt generation, leaving the platform especially vulnerable to high-frequency tracking campaigns.

In conclusion, this WhatsApp Signal app user experience vulnerability highlights a critical flaw in the privacy of millions of users. It's time for platforms to prioritize robust protocol-level fixes and hold themselves accountable for ensuring user privacy in an increasingly hostile digital landscape.