A new tool named Device Activity Tracker exposes a persistent privacy flaw in WhatsApp and Signal that lets attackers covertly monitor user activity using only their phone number.
Based on academic research from the University of Vienna and SBA Research, the tool demonstrates how delivery receipts, normally a harmless feature, can be weaponized into a real-time surveillance channel without user awareness.
Published on GitHub by user gommzystudio, the tool leverages the side-channel described in the 2024 paper titled “Careless Whisper”. By sending reaction messages to invalid or nonexistent message IDs, the tracker receives delivery receipts that reflect the round-trip time (RTT). These RTT values allow the system to infer if a device is active, idle, or offline, without triggering notifications or requiring an existing chat.
The PoC includes a web-based dashboard and CLI, using the Baileys library to connect with WhatsApp Web. Users scan a QR code to authenticate and can then begin passive surveillance of any target by inputting their phone number. Once active, the tool visualizes device state changes in real time, including screen on/off status and transitions between Wi-Fi and mobile networks.
According to the original paper, the technique works across platforms and devices. Researchers showed that RTTs differ depending on the device state. Active phones respond in under a second, while idle ones take longer. With high-frequency probing (e.g., one message every 50ms), they were able to map user routines, detect when phones switch networks, and identify when desktop clients come online, without alerting the victim.
Crucially, no prior interaction is needed. Both WhatsApp and Signal issue delivery receipts for message reactions even from unknown senders. That allows arbitrary targets to be silently monitored if their phone number is known. Threema, which was also tested, does not exhibit this behavior and was excluded from the final tool.
The PoC was independently verified by several Reddit users, some of whom reported battery drain and mobile data spikes during testing. One tester observed that their name appeared at the top of a target’s WhatsApp chat list, suggesting that stealthiness may vary slightly by implementation or recent activity, but the core exploit remains invisible at the UI level.
Despite being notified in 2024, neither Meta nor the Signal Foundation has patched the flaw at the protocol level. Signal does enforce stricter rate limits, which reduce the risk of battery and data exhaustion, but delivery receipts are still issued. WhatsApp imposes no such limits, making it especially vulnerable to high-frequency tracking and resource drain.
The Device Activity Tracker is currently framed as an educational and research tool, but its release underscores how minor metadata like a delivery acknowledgment can become a powerful vector for behavioral surveillance. Until the underlying architecture of these messaging platforms changes, privacy-conscious users have few defenses.
The best available mitigation is enabling “Block unknown messages” in WhatsApp’s Settings → Privacy → Advanced. However, WhatsApp does not define what counts as “high volume,” and attackers may still slip through with moderate probing.
Leave a Reply