Invisible Surveillance: Tool Exploits WhatsApp/Signal Network Latency to Track User Activity

by ddos · December 16, 2025

A tool has been released into the public domain that enables covert monitoring of user activity on WhatsApp and Signal using nothing more than a phone number. This surveillance technique spans more than three billion accounts and can reconstruct a person’s daily routine with unsettling precision—pinpointing when they return home, periods of active smartphone use, sleep cycles, movement patterns, and extended offline intervals. A secondary effect is accelerated battery drain and increased mobile data consumption, all occurring without the device owner’s awareness.

The method exploits the way message delivery protocols function in popular messaging apps. It relies on low-level delivery acknowledgements and analyzes round-trip time (RTT)—the delay between sending a packet and receiving a response. These acknowledgements are issued automatically at the network layer, before any inspection of message content, allowing an external party to obtain measurable responses regardless of whether an actual conversation exists.

In practice, anyone can send so-called “pings” to a victim’s device. The app responds instantly, but the latency varies markedly depending on the phone’s state, the type of network connection, and signal conditions. Wi-Fi versus cellular access, an active screen versus standby mode—all produce distinct timing profiles that become easy to distinguish through frequent sampling.

This vulnerability was first comprehensively described by researchers from the University of Vienna and SBA Research in an academic paper published last year. The authors demonstrated that such hidden probes can be sent at very high frequencies—down to fractions of a second—without triggering notifications, pop-ups, or any visible traces in the app interface, even if the two parties have never communicated.

Those theoretical findings have now taken on a practical form. A researcher known as gommzystudio has published a working proof of concept on GitHub, illustrating just how easily sensitive information about phone usage can be extracted. The demonstration shows how a single phone number can reveal whether a device is active, idle, asleep, or completely offline, along with additional behavioral signals.

One particularly effective technique involves sending reactions to messages that do not exist. These requests never appear on the recipient’s device, yet they still trigger automatic delivery acknowledgements. The application first confirms receipt of the network packet and only afterward checks whether the referenced message exists, leaving the surveillance chain entirely invisible.

Experiments indicate that such probes can be executed at intervals of roughly 50 milliseconds without leaving any trace in the user interface. Meanwhile, the smartphone consumes significantly more power and transmits far more data. Detecting the activity is possible only by physically connecting the device to a computer and analyzing internal logs.

Interpreting these latency patterns unlocks extensive monitoring capabilities. Very low RTT values typically correspond to active phone use with the screen on and a Wi-Fi connection. Slightly slower responses suggest activity over cellular data. Higher delays are characteristic of standby mode on Wi-Fi, while very large delays point to sleep mode on cellular networks or poor reception. A complete lack of response indicates airplane mode or a powered-off device, and sharp fluctuations in latency betray physical movement.

Accumulating such measurements over time allows the construction of a detailed behavioral profile. Stable Wi-Fi patterns usually coincide with being at home, prolonged inactivity aligns with sleep, and distinctive cellular signatures reveal travel or прогулки outside.

The repository quickly attracted community attention, amassing hundreds of stars and dozens of forks in a short period. Although the author emphasizes the research and educational nature of the project, the tool is freely available to anyone, making real-world abuse a tangible concern.

The impact on device autonomy deserves special attention. Based on the original academic study, an attacker can nearly drain a battery within hours without any access to the account or the device itself. Under normal conditions, an idle smartphone loses less than 1% of charge per hour. During WhatsApp tests, however, an iPhone 13 Pro lost around 14% in the same period, an iPhone 11 about 18%, and a Samsung Galaxy S23 roughly 15%.

Signal proved more resilient due to built-in rate limiting on acknowledgements. Under identical conditions, battery drain was limited to about 1% per hour, as excessive requests were blocked. WhatsApp lacked such constraints at the time of testing, making the attack significantly more effective.

Mobile data usage also rises sharply, and bandwidth-sensitive applications—such as video calls—suffer noticeable degradation. Researchers further showed that response timing can be used to roughly infer a user’s geographic region, for example distinguishing Germany from the UAE. Employing multiple probing points from different countries could potentially refine location estimates even further.

Latency instability can reveal not only movement but also the type of device and operating system, as different models and platforms handle network packets differently. In effect, a single phone number becomes a gateway to multi-layered profiling.

To mitigate risk, users are advised to enable WhatsApp’s option to block messages from unknown accounts via advanced privacy settings. This may limit the volume of hidden probes from unfamiliar numbers, although the company does not disclose exact thresholds, leaving the attack vector partially open. Disabling read receipts reduces metadata leakage in normal chats but does not address the specific loophole involving reactions.

Signal offers more granular privacy controls, including the ability to disable delivery receipts and typing indicators. More broadly, researchers recommend disabling “last seen,” “online,” and similar activity markers across all messaging platforms whenever possible. Complete protection against metadata leakage remains one of the most challenging problems in information security.

As of December 2025, the vulnerability remains exploitable in both WhatsApp and Signal.