This threat exploits a side-channel vulnerability in WhatsApp and Signal messaging platforms, demonstrated through an open-source proof-of-concept called “Careless Whisper.” The attacker uses an unofficial WhatsApp API to send tiny probe reactions to special or invalid message IDs. Although these probes do not produce visible messages or notifications on the victim’s device, WhatsApp still returns silent delivery receipts. By measuring the round-trip time (RTT) of these receipts, the attacker can infer the device’s activity state: low RTT indicates the screen is on and active (often on Wi-Fi), higher RTTs correspond to screen on with mobile data, and very high RTTs or timeouts indicate the device is offline or in standby. This timing side-channel allows an attacker to build a behavioral profile of the target, such as typical home presence, sleep patterns, and mobility. The same class of leak exists for Signal, as noted in the original research paper. The attack’s stealthiness stems from the absence of any visible interaction on the victim’s side and the use of silent delivery receipts. However, the attack requires the ability to send messages or reactions to the victim’s phone number, which can be limited via privacy settings. The technique may be detectable through unusual network traffic patterns and causes slight additional battery and data usage on the victim device. The open-source PoC and the original academic paper provide detailed technical insights, but no known active exploitation campaigns have been reported. This vulnerability highlights a privacy risk rather than a direct compromise of message content or device integrity.

For European organizations and individuals, this threat primarily impacts privacy and operational security rather than direct system compromise. The ability to remotely and covertly track device activity states can enable adversaries to infer sensitive behavioral patterns, such as when employees or key personnel are likely at home, asleep, or traveling. This could facilitate targeted social engineering, physical surveillance, or timing of attacks to coincide with periods of reduced vigilance. Organizations relying on WhatsApp or Signal for secure communications may face increased risks of metadata leakage, undermining confidentiality assurances. Privacy-conscious sectors such as government, defense, legal, and finance could be particularly affected. Additionally, the stealthy nature of the attack complicates detection and response. While no direct data breach or remote code execution is involved, the erosion of privacy and potential for profiling represents a significant threat vector in the European context, where data protection regulations like GDPR emphasize user privacy. The attack also raises concerns about the security of widely used encrypted messaging platforms and their metadata handling.

European organizations and users should immediately review and tighten privacy settings on WhatsApp and Signal to restrict or block messages from unknown numbers, effectively preventing unsolicited probes. Specifically, in WhatsApp, navigate to Settings → Privacy → Advanced and disable or limit message reception from unknown contacts. Organizations should educate employees about this threat and encourage cautious sharing of phone numbers. Network monitoring tools can be configured to detect unusual, repetitive probe-like traffic patterns targeting messaging services, aiding early detection. Where possible, use alternative communication channels with stronger metadata protection or enterprise-secured messaging platforms. Developers and platform providers should be urged to address this side-channel by modifying delivery receipt behaviors or implementing rate limiting on reactions to invalid message IDs. Regular audits of messaging app permissions and network activity on corporate devices can help identify anomalous behavior. Finally, organizations should incorporate this threat into their privacy risk assessments and incident response plans, emphasizing metadata leakage risks.