A new class of covert surveillance technology is emerging that does not rely on spyware, malware, or hacking — only on messaging apps that billions of people already use.

Fortaris detected the release of an open-source proof-of-concept tool that allows an attacker to infer a target’s device state and presence using nothing more than their phone number on WhatsApp or Signal.

No messages appear.
No notifications are triggered.
No permissions are required.

The victim never knows they are being monitored.

What Was Detected

The detected tool exploits a side-channel in WhatsApp’s message delivery system.

By sending specially crafted “reaction” probes to invalid message IDs via an unofficial WhatsApp API, the attacker receives silent delivery receipts that are not shown to the target user.

By measuring the round-trip time (RTT) of these receipts, the attacker can infer:

• Whether the phone is online or offline

• Whether it is on Wi-Fi or mobile data

• Whether the screen is active

• Whether the device is idle or asleep

Repeated over time, this creates a behavioural fingerprint of the target.

What This Enables

This technique allows attackers to determine:

• When a person is home

• When they are asleep

• When they are away

• When they are active and reachable

All without ever sending a message.

This is not location tracking — it is presence tracking, which is often more dangerous.

Threat Scenarios

1. Targeted Stalking and Harassment

An attacker tracks a victim’s daily rhythm, learning when they sleep, leave home or are isolated. This enables physical stalking, intimidation and abuse.

2. Executive and Journalist Surveillance

Hostile actors monitor high-value individuals to identify travel, work patterns and vulnerability windows for social engineering or physical compromise.

3. Mass Behavioural Profiling

Large datasets of phone numbers can be silently profiled to map population-level movement and activity patterns, even without GPS data.

Why This Matters

This attack bypasses:

• Device security

• App permissions

• Encryption

• Malware detection

It turns ordinary messaging infrastructure into a global surveillance network.

This is the future of privacy risk: not breaches, but invisible inference.

How Fortaris Detected It

Fortaris flagged:

• The release of a working GitHub proof-of-concept

• The appearance of technical papers describing the technique

• The spread of this method through security and hacking communities

This pattern indicates weaponisation, not research.

Final Thought

The most dangerous surveillance tools are not the ones that break in.

They are the ones that never need to.

This is the new cyber-physical perimeter Fortaris was built to defend.