Your phone buzzes. A WhatsApp message lands in your notifications. You read it, set your phone down, and continue with your day. What you don't know is that someone just learned exactly when you picked up your device, how long you were active, and whether you're currently online, all without sending you a single visible message.
A newly revealed vulnerability dubbed "Careless Whisper" by University of Vienna and SBA Research demonstrates that encrypted messaging apps are leaking far more information than their three billion users realize, allowing silent profiling of user activity without triggering a single notification or breaking end-to-end encryption.
This isn't theoretical. Proof-of-concept tools are already available on GitHub that require nothing more than a target's phone number, and as of December 2025, this vulnerability remains exploitable in WhatsApp and Signal.
The Invisible Threat: How "Careless Whisper" Works
The vulnerability works through elegant simplicity: attackers send high-frequency message reactions to invalid message IDs that never appear in your chat history, yet WhatsApp and Signal still issue delivery receipts in response. By measuring the round-trip time of these acknowledgements, attackers infer your device state, whether your screen is active, whether you're connected to Wi-Fi or mobile data, or if you're completely offline.
The precision is chilling. Researchers successfully demonstrated that delivery receipt timing changes when users actively engage with WhatsApp, resulting in approximately 300 milliseconds of response time when the app is in the foreground, versus much slower responses when minimized. This allows attackers to calculate precise screen-time metrics and estimate engagement duration for specific applications.
By using this technique at high frequency, attackers can extract private information such as following a user across different companion devices, inferring their daily schedule, or deducing current activities. They can also infer the number of currently active user sessions and their operating system, plus launch resource exhaustion attacks, all without generating any notification on the target side.
Beyond Privacy: Weaponizing Message Delivery
Beyond privacy extraction, the vulnerability enables offensive resource exhaustion attacks. Researchers demonstrated that attackers can drain a victim's battery by 14-18 percent per hour on iPhones and approximately 15 percent on Android devices by flooding targets with high-frequency, large-payload delivery receipts. A single attacker can generate 3.7 megabytes per second of data traffic, equivalent to 13.3 gigabytes per hour, completely silently. This allows malicious actors to rapidly exhaust victims' data quotas or deplete battery reserves without generating any warning notifications.
For Signal, researchers were not able to considerably drain the battery of testing phones due to considerably stricter rate limits, it only decreased by 1% after an hour of attack. WhatsApp imposes no meaningful rate limits on delivery receipt generation, leaving the platform especially vulnerable to high-frequency tracking campaigns.
State-Sponsored Surveillance Through Messaging Apps
The timing couldn't be worse. CISA has issued warnings that cybercriminals and state-backed hacking groups are using spyware to compromise smartphones belonging to users of popular encrypted messaging apps such as Signal, WhatsApp, and Telegram, with attackers not trying to crack the end-to-end encryption directly but instead targeting the devices themselves.
A critical WhatsApp vulnerability (CVE-2025-55177) stems from incomplete authorization checks in WhatsApp's linked device synchronization messages, enabling remote attackers to force arbitrary content processing on target devices by triggering malicious synchronization messages containing URLs pointing to attacker-controlled servers.
The vulnerability was exploited in sophisticated attack chains where hackers sent malformed images via WhatsApp that triggered automatically upon receipt, allowing hackers to spy on targets' location, photos, call logs, messages, and even activate their microphone. WhatsApp confirmed that approximately 200 individuals, primarily journalists and human rights defenders in the Middle East, were targeted over a three-month period.
The Perfect Storm of Ignored Warnings
Researchers disclosed their findings to Meta (WhatsApp's parent company) and the Signal Technology Foundation on September 5, 2024. As of November 2024, over fourteen months later, Meta acknowledged receipt but provided no substantive response, while Signal has not responded at all. The only confirmed remediation was Firefox's resolution of a specific activity leakage issue. This extended inaction leaves billions of users vulnerable despite the severity of the disclosed attacks.
Both Meta and the Signal Foundation have known about this vulnerability since late 2024, yet neither has implemented complete protocol-level remediation. Properly fixing this requires fundamental changes to how these platforms handle message acknowledgement. Complete remediation would likely require disabling certain delivery receipt types altogether or implementing breaking protocol changes that could degrade user experience.
Who's Really at Risk?
The vulnerability is particularly significant for sensitive populations. U.S. Senate staff, European Commission personnel, and multiple senior government officials rely on Signal for classified communications. Recent media reports indicate that high-ranking U.S. officials, including defense department leadership, use both WhatsApp and Signal for sensitive discussions, with some individuals' phone numbers publicly accessible online.
Threat actors have been found primarily targeting high-value individuals in the US, the Middle East, and Europe, aiming to compromise victims' personal devices and gain prolonged access. The targets include current and former high-ranking government, military, and political officials, as well as those from civil society organizations.
The Telegram Deception: Why Default Settings Matter
Default cloud backups on WhatsApp store most chats as plain text on Apple and Google servers, while Telegram's standard chats also lack default end-to-end encryption, exposing user data to potential company access. Telegram is NOT end-to-end encrypted by default, you must use "Secret Chats." If you use standard chats, your data sits on their servers, accessible if a government successfully pressures the company.
Following pressure from French authorities who detained Pavel Durov at an airport in August 2024, Telegram updated its terms of service to allow for the sharing of IP addresses and phone numbers with authorities for "valid legal requests." According to Telegram's transparency report, this change resulted in 900 information requests from US authorities affecting 2,253 users in 2024 alone.
Your Defense Strategy: What Actually Works
Immediate Actions
For WhatsApp users: The best available mitigation is enabling "Block unknown messages" in WhatsApp's Settings → Privacy → Advanced. However, WhatsApp does not define what counts as "high volume," and attackers may still slip through with moderate probing.
For all messaging app users: Enable Face ID or Touch ID for authentication inside apps that support it. Banking apps, password managers, and secure messaging apps all offer this. Use it for every app that matters.
Keep your operating system updated, not next week, but when the notification appears. Security patches address real, actively-exploited vulnerabilities.
Review permissions in Settings → Privacy & Security to see what every app has asked to access. Camera, microphone, location, contacts, revoke anything that does not make sense for what the app actually does.
The Signal Advantage
Signal remains the most secure messaging app available to consumers in 2026. End-to-end encryption covers everything, messages, calls, media, using the Signal Protocol, which is open source and has been independently audited multiple times. Minimal metadata is stored. Sealed sender prevents even Signal's servers from knowing who is talking to whom. Disappearing messages, no ads, no data collection.
Signal has an excellent security track record. While no software is entirely bug-free, Signal has consistently demonstrated a commitment to transparency, rapid patching, and minimizing attack surfaces. Its open-source nature allows for public scrutiny, which helps identify and fix vulnerabilities.
What Doesn't Work
You can disable read receipts on both apps. But you cannot fully disable delivery receipts, the exact thing exploited by the tracking attack. Your phone still confirms message delivery, which is what the attack exploits.
Disabling read receipts helps with regular messages but does not protect against this specific attack.
The Bigger Picture: Why This Matters Now
Attackers are turning artificial intelligence into an offensive weapon to find vulnerabilities more quickly than defenders can patch them. Research reveals 161 CVEs were exploited in the first half of 2025, with almost half associated with malware or ransomware campaigns. The time between vulnerability disclosure and actual exploitation has been reduced to hours, with proofs of concept released within 48 hours of a critical vulnerability being announced.
The tools to attack are now smarter than most of the defenses trying to stop them. Today you can rent an AI-powered attack service on the dark web for less than the cost of a dinner out. It will try a million username and password combinations across dozens of apps in an afternoon.
As data breaches, surveillance, and digital tracking continue to rise, private communication has become a necessity, not a luxury.
What Comes Next
Expect this issue to remain a concern until either platform implements fundamental architectural changes to delivery receipt handling or the research community discovers compensating controls. In the interim, the best defence is understanding your actual threat model and applying the privacy controls available to you, knowing their limitations clearly.
Meta and Signal Foundation were warned about this in 2024. Neither has implemented a protocol-level fix. Until they do, these settings are your best available mitigation, but they're not a solution.
The era of "set it and forget it" privacy is over. Your digital security requires active management, informed choices, and constant vigilance. The companies building these platforms have shown they won't protect you by default, so you'll have to protect yourself.