Skip to main content

What is zero-click malware, and how do zero-click attacks work?

In recent years, zero-click attacks have occasionally made their way into the spotlight. As the name suggests, zero-click attacks require no action from the victim – meaning that even the most advanced users can fall prey to serious cyber hacks and spyware tools.

Zero-click attacks are typically highly targeted and use sophisticated tactics. They can have devastating consequences without the victim even knowing that something is wrong in the background. The terms ‘zero-click attacks’ and ‘zero-click exploits’ are often used interchangeably. They are sometimes also called interaction-less or fully remote attacks.

What is zero-click malware?

Traditionally, spying software relies on convincing the targeted person to click on a compromised link or file to install itself on their phone, tablet, or computer. However, with a zero-click attack, the software can be installed on a device without the victim clicking on any link. As a result, zero-click malware or no-click malware is much more dangerous.

The reduced interaction involved in zero-click attacks means fewer traces of any malicious activity. This – plus the fact that vulnerabilities which cybercriminals can exploit for zero-click attacks are quite rare – make them especially prized by attackers.

Even basic zero-click attacks leave little trace, which means detecting them is extremely difficult. Additionally, the same features which make software more secure can often make zero-click attacks harder to detect.  Zero-click hacks have been around for years, and the issue has become more widespread with the booming use of smartphones that store a wealth of personal data. As individuals and organizations become increasingly reliant on mobile devices, the need to stay informed about zero-click vulnerabilities has never been greater.

How does a zero-click attack work?

Typically, remote infection of a target’s mobile device requires some form of social engineering, with the user clicking on a malicious link or installing a malicious app to provide the attacker with an entry point. This is not the case with zero-click attacks, which bypass the need for social engineering entirely.

A zero-click hack exploits flaws in your device, making use of a data verification loophole to work its way into your system. Most software uses data verification processes to keep cyber breaches at bay. However, there are persistent zero-day vulnerabilities that are not yet patched, presenting potentially lucrative targets for cybercriminals. Sophisticated hackers can exploit these zero-day vulnerabilities to execute cyber-attacks, which can be implemented with no action on your part.

Often, zero-click attacks target apps that provide messaging or voice calling because these services are designed to receive and interpret data from untrusted sources. Attackers generally use specially formed data, such as a hidden text message or image file, to inject code that compromises the device.

A hypothetical zero-click attack might work like this:

  • Cybercriminals identify a vulnerability in a mail or messaging app.
  • They exploit the vulnerability by sending a carefully crafted message to the target.
  • The vulnerability allows malicious actors to infect the device remotely via emails that consume extensive memory.
  • The hacker's email, message, or call won't necessarily remain on the device.
  • As a result of the attack, cybercriminals can read, edit, leak, or delete messages.

The hack can be a series of network packets, authentication requests, text messages, MMS, voicemail, video conferencing sessions, phone calls, or messages sent over Skype, Telegram, WhatsApp, etc. All of these can exploit a vulnerability in the code of an application tasked with processing the data.

The fact that messaging apps allow people to be identified with their phone numbers, which are easily locatable, means that they can be an obvious target for both political entities and commercial hacking operations.

The specifics of each zero-click attack will vary depending on which vulnerability is being exploited. A key trait of zero-click hacks is their ability not to leave behind traces, making them very difficult to detect. This means that is not easy to identify who is using them and for what purpose. However, it is reported that intelligence agencies worldwide use them to intercept messages from and monitor the whereabouts of suspected criminals and terrorists.

Zero-click exploits can start with a seemingly harmless message or missed call.

Examples of zero-click malware

A zero-click vulnerability can affect various devices, from Apple to Android. High profile examples of zero-click exploits include:

Apple zero-click, forced entry, 2021:

In 2021, a Bahraini human rights activist had their iPhone hacked by powerful spyware sold to nation-states. The hack, uncovered by researchers at Citizen Lab, had defeated security protections put in place by Apple to withstand covert compromises.

Citizen Lab is an internet watchdog based at the University of Toronto. They analyzed the activist’s iPhone 12 Pro and found that it had been hacked via a zero-click attack. The zero-click attack took advantage of a previously unknown security vulnerability in Apple’s iMessage, which was exploited to push Pegasus spyware, developed by the Israeli firm NGO Group, to the activist’s phone.

The hack attracted significant news coverage, mainly because it exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May 2021. The hack overcame a security software feature built into all versions of iOS 14, called BlastDoor, which was intended to prevent this kind of device hacks by filtering malicious data sent over iMessage. Because of its ability to overcome BlastDoor, this exploit was dubbed ForcedEntry. In response, Apple upgraded its security defenses with iOS 15.

WhatsApp breach, 2019:

This infamous breach was triggered by a missed call, which exploited a flaw in the source code framework of WhatsApp. A zero-day exploit – i.e., a previously unknown and unpatched cyber vulnerability – allowed the attacker to load spyware in the data exchanged between two devices due to the missed call. Once loaded, the spyware enabled itself as a background resource, deep within the device’s software framework.

Jeff Bezos, 2018:

In 2018, Crown Prince Mohammed bin Salman of Saudi Arabia allegedly sent Amazon CEO Jeff Bezos a WhatsApp message with a video promoting Saudi Arabia’s telecom market. It was reported that there was a piece of code within the video file that enabled the sender to extract information from Bezos’s iPhone over several months. This resulted in the capture of text messages, instant messages, and emails, and possibly even eavesdropped recordings taken with the phone’s microphones.

Project Raven, 2016:

Project Raven refers to the UAE’s offensive cyber operations unit, which comprises Emirati security officials and former US intelligence operators working as contractors. Reportedly, they used a tool known as Karma to take advantage of a flaw in iMessage. Karma used specially crafted text messages to hack into the iPhones of activists, diplomats, and rival foreign leaders to obtain photos, emails, text messages, and location information.

How to protect yourself from zero-click exploits

Because zero-click attacks are based on no interaction from the victim, it follows that there isn’t much you can do to protect yourself. While that is a daunting thought, it’s important to remember that, in general, these attacks tend to be targeted at specific victims for espionage purposes or perhaps monetary gain.

That said, practicing basic cyber hygiene will help to maximize your online safety. Sensible precautions you can take include:

  • Keep your operating system, firmware, and apps on all your devices up to date as prompted.
  • Only download apps from official stores.
  • Delete any apps you no longer use.
  • Avoid ‘jailbreaking’ or ‘rooting’ your phone since doing so removes protection provided by Apple and Google.
  • Use your device password protection.
  • Use strong authentication to access accounts, especially critical networks.
  • Use strong passwords – i.e., long and unique passwords.
  • Regularly backup systems. Systems can be restored in cases of ransomware, and having a current backup of all data speeds the recovery process.
  • Enable pop-up blockers or prevent pop-ups from appearing by adjusting your browser settings. Scammers routinely use pop-ups to spread malware.

Using a comprehensive antivirus will also help keep you safe online. Kaspersky Total Security provides 24/7 protection against hackers, viruses, and malware, plus payment protection and privacy tools which protect you from every angle. Kaspersky Internet Security for Android will protect your Android device also.

Related articles:

What is zero-click malware, and how do zero-click attacks work?

Zero-click spyware is a malicious hack that requires no interaction from the user. Zero-click vulnerabilities, how does a zero-click attack work & how to protect yourself.
Kaspersky logo

Featured posts