Zero-Click Attack

Definition

A zero-click attack is a type of cyberattack where the victim doesn’t have to reveal their information or engage in any activity. In this attack, the attacker infiltrates the victim’s device or software without the victim clicking a link, downloading anything, or opening an email attachment.

Zero-click attacks aim to steal data or perform spy operations. They are challenging to detect and defend against because it doesn’t require the victim’s interaction.

Examples of Zero-Click Attacks

• Apple zero-click, ForcedEntry, 2021: An activist from Bahraini was targeted with zero-click assault using a prior unnoticed security hole in the iMessage of Apple in the iOS 16.6 and 14.4 software. The attackers exploited this vulnerability to spread the Pegasus spyware to the activist’s mobile device.
• Breach of WhatsApp, 2019: An anonymous sender threatened WhatsApp’s safety with a single missed call, which included spyware injected into the information, which later entered the device’s software.
• Jeff Bezos, 2018: The crown prince shared a WhatsApp video advertising Saudi Arabia’s telecom industry with Jeff Bezos, which included a code that targeted his phone calls, messages, and emails for several months.
• Project Raven, 2016: A UAE cyber operation applied surveillance service Karma to attack weak sections of iMessages and hack the iPhones of diplomats, activists, and foreign leaders. Karma infested smart gadgets via distinct text messages that collected data such as text messages, emails, photos, and location.

How to Prevent Zero-Click Attacks

• Ensure you delete unnecessary applications.
• Download software only from trustworthy sources.
• Update your applications, OS, and firmware regularly.
• Ensure your system is always updated.
• Employ multi-factor authentication to protect your accounts.
• Customize your browser settings to stop pop-ups.
• Utilize robust and distinctive passwords.

How Does a Zero-Click Attack Work?

• Taking advantage of software vulnerabilities: Zero-click attacks typically exploit flaws in software apps. Hackers search for these weaknesses in applications and systems to install malicious code on a targeted device or do other harmful interactions without the user’s intervention.
• Targeting data processing apps: Many zero-click attacks take advantage of flaws in applications that process untrustworthy data. They include phone apps, message apps, email apps, and SMS platforms. The applications receive and process information from untrustworthy sources before displaying it to other users. A specially designed message can exploit the data processing code with a vulnerability.
• Applying harmful code without user input: Taking advantage of flaws in data processing enables malicious calls or messages to implement malicious code on the device without any user input. This makes zero-click attacks extremely dangerous, as they can compromise your device without you knowing it.
• Exploiting automatic notifications: Receiving SMS or email does not require user interaction. Smart devices display alerts automatically, depending on the context of the messages, before users read them. Zero-click attacks can exploit these automated procedures to carry out an attack.
• Leaving no trace of the attack: A cunningly developed malicious message can install malware, erase itself, and suppress alerts, making it difficult to detect the attack until it is too late to recover.