Your Phone Number Is a Surveillance Device, and WhatsApp Knows It

A team of university researchers just proved that anyone with your number can silently map your daily life. Here's what they found and what…

Ismail Ibrahim

~7 min read · April 25, 2026 (Updated: April 25, 2026) · Free: Yes

A team of university researchers just proved that anyone with your number can silently map your daily life. Here's what they found and what you can do about it.

You probably feel safe on WhatsApp. Your messages are end-to-end encrypted. Nobody can read them. Even WhatsApp itself can't. So you speak freely about your health, your relationships, your money, and your plans.

But a research paper published in 2024 by scientists at the University of Vienna and SBA Research just proved something deeply unsettling: the content of your messages was never the only thing that could be used against you.

The paper is called "Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers." It won the Best Paper Award at RAID 2025 one of the most respected cybersecurity conferences in the world. And what it reveals should change how you think about every messaging app on your phone.

The Two Ticks You Never Thought About

Every WhatsApp user knows the ticks. One tick means your message was sent. Two grey ticks mean it was delivered. Two blue ticks mean it was read.

Most people focus on the blue ticks and the read receipt. But the researchers focused on something far more interesting: the grey ones.

Those grey ticks on the delivery receipt fire the moment your phone receives the message. They happen automatically, in the background, with no input from you. You don't need to open the app. You don't need to read anything. Your phone just… responds.

And that response is measurable. Down to the millisecond.

Silent Pings: The Attack Nobody Sees Coming

Here's where it gets alarming. The researchers discovered that WhatsApp and Signal can be triggered to send delivery receipts using *silent* messages and crafted signals that your phone responds to but that never appear in your chat. No notification. No badge. No sound. Nothing.

You wouldn't know it happened.

By sending these silent pings rapidly and measuring how quickly your phone fires back a delivery receipt, someone with only your phone number can extract a remarkable amount of private information:

Is your screen on or off? When your phone is unlocked and active, it responds in under a second. When it's locked or asleep, the response slows down. The difference is small but measurable and consistent.

Are you on WiFi or mobile data? WiFi produces a stable, low-latency response pattern. Mobile data has subtle jitter tied to cell tower load. These patterns are different enough to fingerprint reliably.

What time do you wake up and go to sleep? If your phone stops responding to pings at midnight and starts again at 6:30 AM, day after day, that's your sleep schedule. No camera. No microphone. Just timing data.

Are you at home, at the office, or commuting? Combined with the WiFi/mobile data signal, consistent patterns reveal where you tend to be at what time. Home WiFi in the morning, mobile data during commute hours, a different WiFi network during work hours.

Is WhatsApp your active app right now? If WhatsApp is in the foreground, it responds faster than if it's backgrounded. This reveals whether you're actively using the app or doing something else entirely.

Are you logged into WhatsApp Web? If you have an active web session running alongside your phone, a second receipt echo appears detectable as a staggered acknowledgment.

How many devices are linked to your account? Because WhatsApp uses what's called "client-fanout," every device on your account receives a copy of the message and fires its own receipt; an attacker can count the responses. Two devices? Two receipts. They know.

The Most Frightening Part: No Contact Required

You might assume this kind of monitoring requires the attacker to be in your contact list. Or to have messaged you before. Or for you to have saved their number.

None of that is true.

The researchers confirmed that any WhatsApp or Signal user can be targeted by anyone who knows their phone number with zero prior association. The attacker doesn't need to have ever spoken to you. You don't need to have their number. They don't need to be in your country.

All they need is your mobile number, the same one printed on your business card, listed on your LinkedIn, or shared when you signed up for a service years ago.

The number of people potentially exposed? Over 3 billion WhatsApp users and approximately 136 million Signal users worldwide.

Two People at Once: Mapping Social Connections

The attack goes further. By monitoring two phone numbers simultaneously, a watcher can detect when both become active at the same time and infer that those two people are probably talking to each other.

Not what they're saying. Just that they're communicating. At this time. On this day. This frequently happens.

Over weeks and months, that pattern becomes a social graph. Who do you talk to most? At what hours? How often? Does your communication with one person increase when another decreases? These are questions that intelligence agencies pay enormous sums to answer, and this method surfaces them from metadata alone.

Why Encryption Didn't Save You Here

This is the critical point that most people miss, and it's worth stating plainly.

End-to-end encryption protects what you say. It does not protect the fact that you said it, when you said it, how often you say things, or what state your phone is in when you say them.

The "Careless Whisper" researchers put it clearly: "This end-to-end encryption protects the content of messages, but not necessarily the associated metadata. Our work shows that privacy risks can arise when such metadata are collected and analyzed at scale."

WhatsApp encrypting your messages was never the whole story. The design of the delivery receipt system built for convenience, to tell you your message arrived, became an unintended side channel. Not because of a simple bug. Because of a fundamental design decision about how the system works.

That's why fixing it isn't straightforward. Meta (WhatsApp's owner) and Signal were both informed of these findings in September 2024. As of the time of writing, no substantive patch has been deployed. This is classified under CWE-200 exposure of sensitive information and has no CVE number because it's a design-level issue, not a patchable bug in the traditional sense.

What You Can Do Right Now

The good news is that several settings meaningfully reduce your exposure, not eliminate it, but reduce it.

On WhatsApp:

Go to Settings → Privacy → Read Receipts → turn off. This won't stop delivery receipts, but it removes the blue tick layer and signals less.
Go to Settings → Linked Devices → log out of any WhatsApp Web sessions you are not actively using.
On Android, go to Settings → Apps → WhatsApp → Mobile Data → turn off Background Data. On iPhone, go to Settings → General → Background App Refresh → WhatsApp → off. This significantly dampens the timing signal.

On Signal:

Go to Settings → Privacy → turn off Read Receipts and Typing Indicators.
Go to Settings → Account → turn on Registration Lock. This prevents SIM-swap attacks.
Signal is substantially better designed against this attack; its "sealed sender" feature and minimal metadata footprint reduce the exposure surface considerably.

For both apps:

Using a VPN normalizes your latency fingerprint and masks whether you're on WiFi or mobile data.
Enabling battery saver or low-power mode throttles background receipt delivery.
If you want the strongest protection, use a dedicated number (a secondary SIM or a VoIP number) for your Signal account, one that isn't tied to your public identity.

Why This Matters Beyond Individual Users

The researchers noted something that deserves wider attention: this vulnerability is particularly significant for high-profile targets. U.S. Senate staff, European Commission personnel, and senior government officials regularly use Signal for sensitive communications. Several have their phone numbers accessible online.

When a surveillance technique requires only a phone number and produces a live activity profile of the target, their schedule, their network, their active devices, and their communication patterns, the threat model extends well beyond personal privacy.

This is why academic security research matters. The University of Vienna team didn't build a product. They built a proof. And the proof is now public, peer-reviewed, and award-winning.

The question isn't whether someone could use this method. The question is whether the platforms will redesign their systems before someone does at scale.

The Bottom Line

WhatsApp and Signal protect your words. They were never designed to protect your patterns. And your patterns when you sleep, where you work, who you talk to, and what device you use are often more revealing than anything you actually say.

The "Careless Whisper" paper is a quiet alarm. The delivery receipt was a convenience feature. It became something else.

Read the paper yourself: arxiv.org/abs/2411.11194

Then check your settings.

*Based on peer-reviewed research: "Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers" by Gabriel K. Gegenhuber, Maximilian Günther, Markus Maier, Aljosha Judmayer, Florian Holzbauer, Philipp É. Frenzel, and Johanna Ullrich — University of Vienna & SBA Research. Best Paper Award, RAID 2025.*

#cybersecurity #whatsapp #vulnerability #threat-intelligence

< Go to the original