A “zero-click attack” sounds ominous, but are you and your devices at risk? Let’s go over what a zero-click attack is, why they’re so concerning, and what you can do to protect yourself.
What Are Zero-Click Attacks?
As the name implies, a zero-click cyberattack can compromise a device without any action from its owner. Whereas other attack methods—phishing or smishing, for example—rely on social engineering to trick people into clicking bad links or initiating a seemingly legit download, zero-click attacks use existing vulnerabilities in operating systems to get around that entirely.
These are not to be confused with zero-day attacks, which are vulnerabilities that are actively being exploited and need to be patched immediately, but require user action to run. Zero-click attacks allow access to a device without the user taking any action, potentially ensnaring even the most tech-savvy people.
The most notable zero-click attack of late is the Pegasus software from Israeli firm NSO Software. It’s made headlines for years, with the University of Toronto’s Citizen Lab highlighting attacks on iOS and Android devices in 2018 and again in 2021. Though NSO denies any wrongdoing, Citizen Lab says Pegasus is used by clients to spy on activists and other high-profile officials. In December, Google’s Project Zero team published a technical analysis of the so-called FORCEDENTRY exploit that was used by NSO Group to infect target iPhones with its Pegasus spyware via iMessage.
Zero-click attacks are so pernicious because they are basically invisible; all an attacker needs to do is send it to your phone or device—no click or tap needed on your part. Victims are usually unaware anything is happening, so attackers can take their time poking around your device.
As security researcher David Balaban put it for IT Governance: “From a malefactor’s perspective, the beauty of a zero-click attack is that they don’t have to boil their efforts down to social engineering or ‘spray and pray’ practices (like recent COVID-19-themed phishing) with a low success rate.”
How Does a Zero-Click Attack Work?
Zero-click attacks exploit existing loopholes in the data-verification function of apps and operating systems. Any system that parses data it receives to see if that data can be trusted is vulnerable to a zero-click attack. Attackers send bad code via email or messaging apps inside something that appears innocuous to the system, like a PDF, hidden image, or text message.
A real-world example of this could be a vulnerability in an email messaging app on your phone. If a malicious hacker finds the vulnerability, all they’d have to do is send you an email message containing their bad code. Once the email is received, that code activates and infects the target phone, giving the hacker access to all the emails on your device. Even if the original email is deleted, the infection persists. And since we all delete emails we’ve read or don’t recognize, chances are there won’t be any trace of the attack left on your phone for very long.
Security measures meant to protect users can actually aid zero-click attacks. End-to-end encrypted messaging apps like Apple’s iMessage make it hard to determine whether an attack is taking place, because no one can see the contents of the data packet being sent except the sender and receiver.
Malicious hacking groups often develop tools to take advantage of zero-click vulnerabilities and sell them for millions on the black market. Because of their nearly untraceable nature, zero-clicks are often employed at the nation-state level by government agencies in espionage operations.
Sometimes the targets of those operations include reporters. According to The Indian Express, London-based journalist Rania Dridi’s phone was compromised despite her taking appropriate precautions. The hack forced her to delete apps that were important to her work reporting on women’s rights in the Arab world. In their documentary The Spy in Your PhoneThe Spy in Your Phone, Al Jazeera details how one of their journalists was compromised by Pegasus malware.
How to Prevent a Zero-Click Attack
The stealth nature of zero-click attacks makes them difficult to avoid if you’re a target. But there are cyber-security measures you can take to protect yourself in general.
First, keep your apps and systems updated regularly. Software manufacturers will patch vulnerabilities as soon as possible once they become aware that the bugs exist. Routine updates often contain these fixes and only take a couple minutes to install.
Meanwhile, pay close attention to the developers of the apps you install. If there’s no information about the manufacturer listed, the app has no reviews, or the developer hasn’t been verified by the app store, odds are it’s fishy and you should steer clear.
It’s also a good idea to routinely purge apps you don’t use anymore from your phone, or at the very least remove any permissions you’ve granted them so they can’t automatically access other parts of your phone like the camera or media library.
Whenever possible, use multi-factor authentication to access important sites, email, and social media. And we’ve all heard it by now, but it bears repeating: Don’t use the same password you came up with in high school for every account. Password managers can help you select a strong master passcode, and store the rest so you don’t have to remember 50 passwords.
Use extensions to block pop-ups and spam, or configure your browser settings to keep them away, as attackers often use them to spread malware. Good anti-malware and antivirus protection can’t hurt either, so get the best you can and run regular scans.
If your job involves the handling of sensitive information, you may want to keep two phones: one for work and one for personal use. That way, if one is compromised, you won’t lose all your data. No matter your profession, it’s a good idea to regularly back up all your data and files, and store them separately from your main hard drive. In the event of a ransomware attack, you’ll then be able to recover your data, even if you have to scrap your PC.
Should You Be Worried?
Zero-click attacks are unquestionably scary. That said, you probably don’t need to lose sleep over them. Most zero-click vulnerabilities are used by state actors to go after high-profile targets. Still, it’s a good idea to keep an eye out for suspicious activity on your devices. For more, check out How to Figure Out If Your Phone Has Malware and 7 Signs You Have Malware and How to Get Rid of It.