Silent Stalkers: How Phone Numbers Enable Stealthy Surveillance via Encrypted Apps

The promise of end-to-end encryption in messaging apps like WhatsApp and Signal has long been a cornerstone of digital privacy. However, a sophisticated new surveillance technique reveals a critical chink in the armor: attackers can now conduct persistent, invasive tracking of a target's daily life using nothing more than a phone number, all while remaining completely undetected. Dubbed 'Silent Whisper' by researchers, this method exploits the very protocols designed to ensure reliable communication, turning a feature into a formidable surveillance tool.

The core of the 'Silent Whisper' attack lies in the abuse of delivery receipt mechanisms. When a message is sent via these apps, a series of automated, encrypted signals confirm its journey: sent, delivered, and sometimes read. The attack manipulates this process by silently triggering these receipt signals from the victim's device without their knowledge. By repeatedly and strategically sending messages or pings that solicit delivery confirmations, an attacker can create a constant, low-volume data stream from the target's phone.

This stream reveals a wealth of information. By analyzing the timing and network origin of these automated responses, an attacker can infer whether the device is active, asleep, or powered off. Patterns in this activity paint a detailed picture of the victim's daily routine—wake-up times, commute periods, work hours, and sleep schedule. Furthermore, changes in the network data (like shifts in IP addresses or cell tower IDs) can approximate location changes and frequented places, such as home, office, or gym, effectively mapping a person's movements over time.

The stealth of the attack is its most alarming feature. It operates entirely in the background, generating no notifications, sounds, or visible alerts on the victim's device. The target continues using their phone normally, completely unaware of the silent surveillance. The only potential physical indicators are side-effects: a noticeably faster battery drain and increased background data usage, which users often attribute to other apps or normal device aging.

This technique underscores a fundamental truth in cybersecurity: encryption protects content, but metadata is often the crown jewel for surveillance. 'Silent Whisper' bypasses the formidable encryption of message bodies to target the signaling metadata, which is equally rich in intelligence value. It represents a low-cost, highly accessible form of targeted surveillance that could be deployed by stalkers, corporate spies, or malicious actors without requiring deep technical expertise or physical access to the device.

Compounding this privacy threat is a separate but concurrent security crisis. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two newly discovered zero-day vulnerabilities in Apple's WebKit browser engine to its Known Exploited Vulnerabilities (KEV) catalog. WebKit is the engine that powers Safari and is used by all third-party browsers on iOS, making it a critical component for security.

The flaws, tracked as CVE-2025-23476 and CVE-2025-23477, are memory corruption issues that could allow a remote attacker to execute arbitrary code on a victim's device. Crucially, CISA notes these vulnerabilities are being exploited in sophisticated, targeted attacks in the wild. An attacker could compromise a device simply by tricking a user into visiting a maliciously crafted webpage. This method of attack, known as a drive-by download, requires no interaction beyond loading the page.

In response, Apple has released urgent security updates for iOS, iPadOS, macOS, and Safari. The patches are included in iOS 18.2.1, iPadOS 18.2.1, macOS Sonoma 14.5.1, and Safari 18.2.1. The company's advisory confirms that it is "aware of a report that this issue may have been exploited" against older versions of its software. All users are strongly urged to apply these updates immediately.

The convergence of these two threats—the stealthy 'Silent Whisper' tracking vector and the actively exploited WebKit zero-days—creates a perfect storm for mobile security. A user could be simultaneously tracked at a metadata level and potentially compromised at a system level. This layered attack strategy demonstrates the evolving sophistication of adversaries targeting personal devices.

For cybersecurity professionals and privacy-conscious users, the implications are stark. The 'Silent Whisper' technique reveals that the attack surface extends far beyond app vulnerabilities to include protocol design and implementation. Mitigation is challenging, as disabling delivery receipts degrades user experience and is not a default option in most apps. Users should be vigilant for unusual battery drain or data usage, though these are late-stage indicators. The broader lesson is that reliance on encryption alone provides a false sense of security; a holistic approach that includes metadata protection is essential.

Meanwhile, the rapid exploitation of the WebKit flaws reinforces the non-negotiable importance of prompt patch management. In enterprise environments, IT and security teams must prioritize the deployment of these Apple updates, especially for high-value targets who may be subject to targeted surveillance campaigns. The fact that these vulnerabilities were added to CISA's KEV catalog mandates action for U.S. federal agencies and serves as a critical benchmark for all organizations.

Looking ahead, the discovery of 'Silent Whisper' will likely pressure app developers to re-evaluate their signaling protocols and seek privacy-preserving methods for message delivery confirmation. Techniques like randomized response delays, batch sending of receipts, or implementing rate-limiting from unknown contacts could be potential avenues for research. Until then, user awareness and layered security practices—including regular updates, network monitoring, and a healthy skepticism of unsolicited contacts—remain the primary defenses in an increasingly opaque threat landscape.