Free spy tool can track 3 billion WhatsApp users, drain batteries and data limits

Published: 11 December 2025
Last updated: 30 December 2025
WhatsApp hackers
Image by Cybernews.

A tool for tracking over three billion WhatsApp and Signal users has been publicly released. Just by knowing the phone number, attackers can determine when users come home, when they are actively using the phone, when they go to sleep, or when they are offline. They can also drain batteries and data limits without the users noticing anything.

Key takeaways:
  • Free tracking tool exploits WhatsApp and Signal protocols to monitor 3 billion users' activity without detection.
  • Attackers can determine sleep schedules, location patterns, and device status using only a phone number.
  • Malicious tracking drains iPhone batteries by up to 18% per hour and consumes significant mobile data.
  • Enable “Block unknown account messages” in WhatsApp privacy settings to reduce tracking vulnerability risks.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The new user activity tracking method exploits how WhatsApp or Signal messaging protocols work at the fundamental level – it abuses delivery receipts to calculate the signal round-trip time (RTT).

ADVERTISEMENT

Apparently, anyone can ping your device, the app will respond, and the RTT will vary wildly depending on what the phone is doing and whether it is using WiFi or mobile data.

Security researchers first described this vulnerability, dubbed “Silent Whisper,” in a paper released last year.

“An adversary can craft stealthy messages that enable probing a target at high frequency (up to sub-second granularity) while not causing any notification at the target side and also in the absence of an ongoing conversation,” warned researchers from Gegenhuber et al., University of Vienna & SBA Research.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

However, now one cybersecurity researcher, operating under the alias “gommzystudio” on GitHub, has released a proof-of-concept tool that demonstrates how easy it is to track sensitive user activity.

“A phone number can reveal whether a device is active, in standby, or offline (and more),” the developer writes.

Fast ping – you’re browsing at home, slow ping – you’re away

Messenger apps send delivery receipts and read receipts whenever a user gets a message or a reaction to the message. However, to obtain these receipts, attackers do not need to send any actual messages.

ADVERTISEMENT

Instead, they can “react” to non-existent messages.

“The tracker sends reaction messages to non-existent message IDs, which triggers no notifications at the target,” gommzystudio explains.

whatsapp-tracking-tool

The apps respond before checking if the message/reaction actually exists, because delivery receipts (ACK) are sent automatically to confirm network packet reception at a low level.

“I was able to spam probes at roughly 50ms intervals without the target seeing anything at all – no popup, no notification, no message, nothing visible in the UI,” the researcher further explains on Reddit.

“The device starts draining battery much faster, and mobile data usage shoots up significantly. The victim still can’t detect any of this unless they physically connect the iPhone to a computer and dig through.”

What can an attacker achieve with 20 pings every second, measuring how long it takes for the delivery receipt to come back? It turns out they leak a lot of information:

  • A low RTT indicates that the device is actively in use, the screen is on, and it is typically connected to WiFi
  • A bit higher RTT signals that the device is active with the screen on, but on mobile data
  • High RTT indicates that the screen is off and the device is in standby mode on WiFi
  • Very high RTT signs standby (screen off) on mobile data, or bad reception
  • Timeouts and failures indicate that the device is offline or in airplane mode
  • Highly varying RTT indicates a moving device

“Over time, you can use this to infer behavior: when someone is probably at home (stable Wi-Fi RTT), when they’re likely sleeping (long standby/offline stretches), when they’re out and moving around (mobile data RTT patterns),” the researcher warns.

“Call it tracking, profiling, fingerprinting – whatever. It’s definitely more than “online/offline.”

ADVERTISEMENT

The repository on GitHub attracted significant attention with over 250 stars already and 36 forks.

While the tool is aimed at research and educational purposes only, anyone can download and use it to track others.

Whatsapp feature update
Image by DenPhotos | Shutterstock

“Never track people without explicit consent – this may violate privacy laws,” the researcher warns. Use responsibly. This tool demonstrates real security vulnerabilities that affect millions of users.

Batteries can be depleted in a few hours

The original paper details even more ways attackers can exploit this flaw.

Researchers significantly increased battery drainage for all tested phones. Hackers can drain a battery very quickly simply by knowing the phone number.

Typically, an idle phone consumes less than 1% of its battery per hour. However, during tests with WhatsApp, the iPhone 13 Pro lost 14% per hour, the iPhone 11 lost 18% per hour, and the Samsung Galaxy S23 lost 15% per hour.

Signal app, however, has implemented rate limiting for receipts, which WhatsApp didn’t have. Therefore, it decreased the battery charge by only 1% after an hour of attack.

Has my data been leaked?
Check Now
ADVERTISEMENT

This malicious activity also drains data allowance, degrades the usability of other bandwidth-intensive applications, such as video calls.

Researchers also detailed that delivery receipts were used to narrow down the user's location (e.g., UAE vs. Germany). Attackers could likely use multiple devices from multiple locations to probe and more accurately determine the target location.

Inconsistencies in RTTs may also indicate what type of device the victim uses, and its OS.

How to protect yourself from being tracked?

If you don’t want strangers probing your device, go to WhatsApp Settings, select Privacy, go to Advanced, and enable “Block unknown account messages.”

“This setting may reduce an attacker’s ability to spam probe reactions from unknown numbers, because WhatsApp blocks high-volume messages from unknown accounts,” gommzystudio suggests.

“However, WhatsApp does not disclose what “high volume” means, so this does not fully prevent an attacker from sending a significant number of probe reactions before rate-limiting kicks in.”

The researcher warns that disabling read receipts helps with regular messages, but does not completely protect against this specific attack.

jail-bars-two-wifi-signals

“As of December 2025, this vulnerability remains exploitable in WhatsApp and Signal,” gommzystudio said.

ADVERTISEMENT

Signal also allows users to disable receipts and typing indicators in privacy settings.

It is good practice to disable or restrict delivery (read) receipts, “Last Seen,” “Online,” and similar status updates on all messaging apps.

Cybernews has reached out to Meta and Signal for comment and will update the story with their responses.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked