No malware. No clicking on sketchy links. All a hacker needs is your phone number to track your sleep schedule, app usage, and physical location.

When the ‘Careless Whisper’ research was first published in late 2025, it sent shockwaves through the cybersecurity community. Yet, months later, the underlying architecture of these apps remains largely unchanged.

We’ve been conditioned to trust end-to-end encrypted (E2EE) messaging apps. Signal is the gold standard for privacy, and WhatsApp brings secure messaging to billions. We trust them because the contents of our messages are mathematically locked away from prying eyes.

But what if the danger isn’t in what you are saying, but in the underlying plumbing of how the apps deliver those messages?

A groundbreaking research paper titled “Careless Whisper,” published by researchers at the University of Vienna, has exposed a glaring vulnerability in the architecture of the world’s most popular messaging apps. By exploiting a feature we all take for granted — delivery receipts — attackers can silently monitor your daily habits, map your devices, and even drain your battery and data, all without you ever receiving a single notification.

Here is how the “Spooky Stranger” attack works, and why your favorite secure messenger might be inadvertently acting as a tracking beacon.

The Anatomy of a Silent Ping

To understand the exploit, you have to understand the journey of a message.

When you send a message on WhatsApp or Signal, it first goes to the company’s server. You get a single checkmark. When the message actually arrives at the recipient’s device and decrypts successfully, the device sends a signal back. You get a double checkmark. This is your delivery receipt.

Unlike read receipts (the blue ticks), delivery receipts cannot be turned off. They are fundamentally baked into the cryptography of the apps to ensure forward secrecy.

On the surface, timing how long a delivery receipt takes to bounce back (the Round-Trip Time, or RTT) might seem harmless. But the researchers discovered that by spamming a device with messages and measuring these microsecond differences, they could infer a terrifying amount of data about the phone’s state.

But wouldn’t the victim notice their phone blowing up with messages?

This is the genius (and terrifying) part of the exploit. Instead of sending standard text messages, the attackers send message reactions (like a thumbs-up emoji) to messages that don’t actually exist. They use custom-built open-source clients to bypass the standard app interfaces.

When the victim’s phone receives this ghost reaction, the app processes it, realizes it references a nonexistent message, discards it, and hides the notification from the user. However, the app still sends back a delivery receipt.

The result? The attacker can ping your phone up to 20 times per second entirely invisibly.

What Your “Digital Echo” Reveals

By analyzing the jitter and latency of these delivery receipts, attackers can read your phone like an open book. Here is what they can figure out:

1. Are you using your phone?
When your phone is locked and sitting on a desk (Screen Off), it enters a low-power standby mode. Delivery receipts take about 1 to 2 seconds to return. The moment you unlock your phone (Screen On), the processor wakes up, and that response time drops drastically. If you actually open WhatsApp, the ping returns almost instantly (under 350 milliseconds).

2. Are you on WiFi or Cellular?
WiFi networks process these background pings with highly predictable, stable timing. Cellular networks (LTE/5G) introduce distinct, scattered latency patterns. An attacker can watch your phone switch from WiFi to Cellular to know exactly when you’ve left your house or arrived at the office.

3. What kind of phone are you using?
Different hardware handles background tasks differently. Apple, Samsung, and Xiaomi devices all have distinct timing signatures, allowing a remote attacker to fingerprint your operating system and phone model.

Tracking You Across Devices

The threat multiplies if you use linked companion devices, like WhatsApp Web on your work laptop or the Signal Desktop app.

Because of how End-to-End Encryption works, a message must be individually encrypted and sent to every single device you own. Consequently, every device sends its own independent delivery receipt.

An attacker can individually monitor the online status of your phone, your work PC, and your home desktop. If your work PC starts returning receipts at 9:00 AM and stops at 5:00 PM, and your home PC comes online at 6:00 PM, the attacker has successfully mapped your daily commute, work hours, and physical locations. All from a willing participant — your own devices.

This opens the door to inferring connections between users, too. If an attacker monitors two individuals and notices their phones consistently switch to “App Open” at the exact same times late at night, it’s a strong statistical indicator that they are messaging each other.

The Unseen Damage: Battery and Data Drains

Beyond surveillance, this vulnerability opens the door to devastating Resource Exhaustion Attacks.

Because WhatsApp does not enforce strict rate limits or payload sizes on these hidden reactions, an attacker can continuously bombard a victim’s phone with massive data payloads attached to these invisible pings.

The researchers proved that an attacker could force your phone to secretly download 13.3 Gigabytes of data per hour. If you are on a limited cellular plan, this could result in massive overage charges.

Worse yet, the constant radio activity prevents your phone from ever entering “Deep Sleep” mode. In tests, the researchers successfully drained an iPhone 11’s battery by an astonishing 18% per hour while the screen was completely off. The victim would simply assume their battery is degrading, completely unaware they are under an active denial-of-service attack.

(Note: Signal’s rate limiting is much stricter, limiting the data drain to a far less destructive 360 MB per hour).

Big Tech’s Deafening Silence & How to Protect Yourself

The most alarming aspect of the “Careless Whisper” exploit is the “Spooky Stranger” element. The attacker does not need to be in your contacts. They don’t need a prior conversation history. They simply need your phone number.

So, what are Meta (WhatsApp) and the Signal Technology Foundation doing about this?

According to the researchers: basically nothing. The findings were responsibly disclosed to both companies in September 2024. Meta responded with a boilerplate acknowledgment and didn’t provide a substantive update for nearly a year. Signal, incredibly, never responded at all.

Fixing this issue isn’t impossible. Companies could add random “noise” (artificial delays of a few seconds) to delivery receipts to destroy the precise timing data, or enforce stricter server-side validation to drop fake reactions before they ever reach your phone.

But until the tech giants patch the underlying plumbing, you are largely on your own.

Here is what you can do today:

• On Signal: Go to Settings > Privacy > Phone Number and restrict who can find you by your number. This makes it significantly harder for a “Spooky Stranger” to initiate an attack.
• On WhatsApp: Go to Settings > Privacy > Advanced and enable the option to block high volumes of messages from unknown accounts. While it is unconfirmed if this explicitly stops the “invisible reaction” exploit, it adds a much-needed layer of defense against spam-based tracking.

We naturally focus on the contents of our conversations when we think about privacy. But as this research proves, the digital metadata — the invisible echoes your phone sends into the void — can speak much louder than your words.