Zero-click attacks, especially when combined with zero-day vulnerabilities, are difficult to detect and becoming more common.
Zero-click attack definition
Zero-click attacks, unlike most cyberattacks, don’t require any interaction from the users they target, such as clicking on a link, enabling macros, or launching an executable. They are sophisticated, often used in cyberespionage campaigns, and tend to leave very few traces behind—which makes them dangerous.
Once a device is compromised, an attacker can choose to install surveillance software, or they can choose to enact a much more destructive strategy by encrypting the files and holding them for ransom. Generally, a victim can’t tell when and how they’ve been infected through a zero-click attack, which means users can do little to protect themselves.
How zero-click attacks work
Zero-click attacks have become increasingly popular in recent years, fueled by the rapidly growing surveillance industry. One of the most popular spyware is NSO Group’s Pegasus, which has been used to monitor journalists, activists, world leaders, and company executives. While it’s not clear how each victim was targeted, it is believed that at least a few of them have received a WhatsApp call they didn’t even have to answer.
Messaging apps are often targeted in zero-click attacks because they receive large amounts of data from unknown sources without requiring any action from the device owner. Most often, the attackers exploit a flaw in how data is validated or processed.
Other less-known zero-click attack types have stayed under the radar, says Aamir Lakhani, cybersecurity researcher at Fortinet’s FortiGuard Labs. He gives two examples: parser application exploits (“while a user views a picture in a PDF or a mail application, the attacker is silently exploiting a system without user clicks or interaction needed”) and “WiFi proximity attacks that seek to find exploits on a WiFi stack and upload exploit code into [the] user’s space [in the] kernel to remotely take over systems.”
Zero-click attacks often rely on zero-days, vulnerabilities that are unknown to the software maker. Not knowing they exist, the maker can’t issue patches to fix them, which can put users at risk. “Even very alert and aware users cannot avoid those double-whammy zero-day and zero-click attacks,” Lakhani says.
These attacks are often used against high-value targets because they are expensive. “Zerodium, which purchases vulnerabilities on the open market, pays up to $2.5M for zero-click vulnerabilities against Android,” says Ryan Olson, vice president of threat intelligence, Unit 42 at Palo Alto Networks.
Examples of zero-click attacks
The target of a zero-click attack can be anything from a smartphone to a desktop computer and even an IoT device. One of the first defining moments in their history happened in 2010 when security researcher Chris Paget demonstrated at DEFCON18 how to intercept phone calls and text messages using a Global System for Mobile Communications (GSM) vulnerability, explaining that the GSM protocol is broken by design. During his demo, he showed how easy it was for his international mobile subscriber identity (IMSI) catcher to intercept the mobile phone traffic of the audience.
Another early zero-click threat was discovered in 2015 when the Android malware family Shedun took advantage of the Android Accessibility Service’s legitimate functions to install adware without the user doing anything. “By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user,” according to Lookout.
A year later, in 2016, things got even more complicated. A zero-click attack was implemented into the United Arab Emirates surveillance tool Karma, which took advantage of a zero-day found in iMessage. Karma only needed a user’s phone number or email address. Then, a text message was sent to the victim, who didn’t even have to click on a link to be infected.
Once that text arrived on an iPhone, the attackers were able to see photos, emails, and location data, among other items. The hacking unit that used this tool, dubbed Project Raven, included U.S. intelligence hackers who helped the United Arab Emirates monitor governments and human rights activists.
By the end of that decade, zero-click attacks were being noticed more often, as surveillance companies and nation-state actors started to develop tools that didn’t require any action from the user. “Attacks that we were previously seeing through links in SMS, moved to zero-click attacks by network injections,” says Etienne Maynier, technologist at Amnesty International.
Amnesty and the Citizen Lab worked on several cases involving NSO Group’s Pegasus spyware, which was linked to several murders, including that of the Washington Post journalist Jamal Khashoggi. Once installed on a phone, Pegasus can read text messages, track calls, monitor a victim’s location, access the device’s mic and camera, collect passwords, and gather information from apps.
Khashoggi and his close ones were not the only victims. In 2019, a flaw in WhatsApp was exploited to target civil society and political figures in Catalonia. The attack started with a video call made on WhatsApp to the victim. Answering the call wasn’t necessary, as the data sent to the chat app wasn’t sanitized properly. This allowed the Pegasus code to be executed on the target device, effectively installing the spyware software. WhatsApp has since patched this vulnerability and has notified 1,400 users who have been targeted.
Another sophisticated zero-click attack associated with NSO Group’s Pegasus was based on a vulnerability in Apple’s iMessage. In 2021, Citizen Lab found traces of this exploit being used to target a Saudi activist. This attack relies on an error in the way GIFs are parsed in iMessage and disguises a PDF document containing malicious code as a GIF. In its analysis of the exploit, Google Project Zero stated, “The most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.” The iMessage vulnerability was fixed on September 13, 2021, in iOS 14.8.
Zero-click attacks don’t only target phones. In 2021, a zero-click vulnerability gave unauthenticated attackers full control over Hikvision security cameras. Later the same year, a flaw in Microsoft Teams was proved to be exploitable through a zero-click attack that gave hackers access to the target device across major operating systems (Windows, MacOS, Linux).
How to detect and mitigate zero-click attacks
Realistically, knowing if a victim is infected is quite tricky, and protecting against a zero-click attack is almost impossible. “Zero-click attacks are way more common than we thought,” says Maynier. He recommends potential targets encrypt all their data, update their devices, have strong passwords, and do everything in their power to protect their digital lives. There’s also something else he tells them: “Consider that they may be compromised and adapt to that.”
Still, users can do a few things to minimize the risk of being spied on. The simplest one is to restart the phone periodically if they own an iPhone. Experts at Amnesty have shown that this could potentially stop Pegasus from working on iOS—at least temporarily. This has the advantage of disabling any code running that has not achieved persistence. However, the disadvantage is that rebooting the device may erase the signs that an infection has occurred, making it much harder for security researchers to determine whether a device has been targeted with Pegasus.
Users should also avoid jailbreaking their devices, because it removes some of the security controls that are built into the firmware. In addition to that, since they can install unverified software on a jailbroken device, this opens them up to installing vulnerable code that might be a prime target for a zero-click attack.
As always, maintaining good security hygiene can help. “Segmentation of networks, applications, and users, use of multifactor authentication, use of strong traffic monitoring, good cybersecurity hygiene, and advanced security analytics may prove to slow down or mitigate risks in specific situations,” says Lakhani. “[These] will also make post-exploitation activities difficult for attackers, even if they do compromise [the] systems.”
Maynier adds that high-profile targets should segregate data and have a device only for sensitive communications. He recommends users keep “the smallest amount of information possible on their phone (disappearing messages are a very good tool for that)” and leave it out of the room when they have important face-to-face conversations.
Organizations such as Amnesty and Citizen Lab have published guides instructing users to connect their smartphone to a PC and check to see whether they have been infected with Pegasus. The software used for this, Mobile Verification Toolkit, relies on known Indicators of Compromise such as cached favicons and URLs present in SMS messages. A user does not have to jailbreak their device to run this tool.
Also, Apple and WhatsApp have both sent messages to people who might have been targeted by zero-click attacks that aimed to install Pegasus. After that, some of them reached out to organizations such as Citizen Lab to further analyze their devices.
Yet technology alone won’t solve the problem, says Amnesty’s Maynier. “This is ultimately a question of policy and regulation,” he adds. “Amnesty, EDRi and many other organizations are calling for a global moratorium on the use, sale, and transfer of surveillance technology until there is a proper human rights regulatory framework in place that protects human rights defenders and civil society from the misuse of these tools.”
The policy answers will have to cover different aspects of this problem, he says, from export control to mandatory human rights due diligence for companies. “We need to put a stop on these widespread abuses first,” Maynier adds.