They’re Watching You Type: The WhatsApp Vulnerability Hiding in Plain Sight

I’ve covered data breaches for seven years. I’ve written about zero-days, nation-state exploits, and supply chain attacks that kept security teams awake at night. But nothing quite prepared me for what I learned about “Careless Whisper” — a vulnerability so elegantly simple, so devastatingly effective, that it makes me rethink every encrypted message I’ve ever sent.

Here’s what haunts me: right now, someone with just your phone number could know exactly when you wake up, when you’re on a call, and whether you just walked through your front door. No malware needed. No clicked links. No notifications on your phone. Nothing.

And you’re probably using one of the affected apps right now.

For years, I’ve told people the same thing:

End-to-end encryption protects your messages – not your behavior.

After reading the research behind “Careless Whisper,” I’m more convinced than ever.

This isn’t a theoretical flaw.

It’s a quiet, scalable, phone-number-only surveillance technique affecting billions of users on WhatsApp and Signal – and most people have never heard of it.

What Is “Careless Whisper” – in Plain English

“Careless Whisper” is a newly disclosed side-channel vulnerability discovered by researchers from the University of Vienna and SBA Research, earning Best Paper at RAID 2025.

In simple terms, it allows an attacker to track your real-time device activity – screen on/off, app usage, network changes, even how many devices you use – using nothing but your phone number.

No notification.

No chat request.

No prior contact.

Just silence.

How the Attack Actually Works

What surprised me most isn’t that WhatsApp and Signal leak metadata – we already know they do – but how trivially exploitable this leak is.

Invisible Message Triggers

Attackers send non-visible actions such as:

• Self-reactions

• Reaction removals

• Invalid message deletions

These actions don’t appear on your device, but they still trigger delivery receipts.

Round-Trip Time (RTT) Analysis

Those delivery receipts leak timing information:

• ~300 ms → app active in the foreground (iPhone)

• ~1 second → screen on

• ~2 seconds → screen off

That’s enough to infer what your phone is doing in real time.

No Relationship Required

This is the part that really matters:

You don’t need to be in someone’s contacts.

Your phone number just needs to exist.

At scale, this becomes behavioral telemetry, not messaging.

What Attackers Can Learn (It’s Worse Than It Sounds)

From timing patterns alone, attackers can infer:

• Device activity state (screen on/off, foreground/background)

• Multi-device usage (phone, tablet, desktop, web client)

• Network type (Wi-Fi vs mobile data – yes, even when you get home)

• Daily routines (sleep, work hours, commuting patterns)

• Live activities (calls, messaging sessions, app switching)

At this point, we’re not talking about “metadata.”

We’re talking about behavioral surveillance.

The Scale Is Hard to Ignore

Let’s talk numbers:

• WhatsApp: ~3 billion users

• Signal: ~136 million users

This makes “Careless Whisper” one of the most widespread privacy vulnerabilities ever documented – not because it breaks encryption, but because it sidesteps it entirely.

From Surveillance to Weaponization

One detail that really stood out to me: battery drain as an attack vector.

Researchers demonstrated:

• 14 – 18% battery drain per hour on iPhones

• ~15% per hour on Android

• 13.3 GB of silent traffic per hour generated by a single attacker

No pop-ups.

No alerts.

Just a phone that mysteriously dies faster than usual.

That’s not just creepy – it’s operationally dangerous.

This Isn’t Just Academic

A proof-of-concept tool called Device Activity Tracker is already public on GitHub.

It works by:

• Sending reactions to invalid message IDs

• Measuring delivery receipt round-trip times

• Inferring device state in real time

Once a PoC exists, it’s only a matter of time before this gets productized.

Why Some Apps Aren’t Vulnerable

Interestingly, Threema avoids this issue almost entirely.

Why

Because it restricts delivery receipts so tightly that:

• Unknown users can’t trigger them silently

• Any attempt requires sending a visible message

It’s less convenient – but dramatically more private.

That’s a design choice, not a technical limitation.

Current Mitigation (And Why It’s Weak)

WhatsApp’s current advice is:

Enable “Block unknown messages”

The problem?

• “High volume” is undefined

• Moderate probing still works

• Signal offers no mitigation at all

This is an architectural issue, not a settings issue.

Why This Matters More Than Ever

WhatsApp and Signal aren’t niche tools anymore.

They’re used by:

• U.S. Senate staff

• European Commission officials

• Defense and intelligence personnel

• Journalists, activists, and dissidents

When metadata reveals behavior, encryption alone isn’t enough.

My Take: This Is the Real Privacy Battlefield

“Careless Whisper” doesn’t break encryption.

It makes it irrelevant.

The uncomfortable truth is this:

• You don’t need message content to surveil someone

• Behavior is often more valuable than text

Until messaging apps treat metadata as seriously as ciphertext, we’ll keep seeing vulnerabilities like this – quiet, scalable, and devastating.

Privacy isn’t just about what you say.

It’s about what you reveal by existing online.

If you care about privacy-first design, this is the conversation we should be having.