What is a zero-click attack, and what can you do about them?

Lock on Laptop Screen
(Image credit: Future)

Hackers use various tools to gain access to computers and other devices and wreak havoc. However, one of the most dangerous, zero-click attacks, can be especially troublesome because they’re often difficult to recognize until it’s too late. In addition, as its name suggests, a zero-click attack does not require any action from its owners, such as a mouse click, keypress, or any other user interaction, unlike other attack methods like smishing and phishing. Instead, all an attacker needs to do is send the dangerous file to a device and let the exploit get to work.


A Techradar Choice for Best Identity Theft Protection

<a href="https://aurainc.sjv.io/c/221109/899264/12398?subId1=hawk-custom-tracking&sharedId=hawk&u=https%3A%2F%2Fbuy.aura.com%2Fsave-50" data-link-merchant="buy.aura.com"">A Techradar Choice for Best Identity Theft Protection Aura is an excellent choice thanks to its user friendly interface, antivirus service and detailed reporting dashboard. <a href="https://aurainc.sjv.io/c/221109/899264/12398?subId1=hawk-custom-tracking&sharedId=hawk&u=https%3A%2F%2Fbuy.aura.com%2Fsave-50" data-link-merchant="buy.aura.com"" data-link-merchant="buy.aura.com"">Save up to 50% with a special Techradar discount. 

How do zero-click attacks work?

Most zero-click attacks come through messaging or voice-calling apps like WhatsApp, Facebook Messager, Apple iMessage, and Telegram because they receive and interpret data from untrusted sources. Zero-click attacks work because they exploit flaws in how data get validated or processed on the device, then use data verification loopholes to enter. The attacks come through hidden text messages, email, voicemail, or an image file delivered via Wi-Fi, NFC, or Bluetooth. Once installed, the zero-click attack activates an unknown vulnerability that quickly goes after hardware or software — without the owner's knowledge. 

As Bill Marczak, a senior research fellow at Citizen Lab explained to Bloomberg: “With zero clicks, it’s possible for a phone to be hacked and no traces left behind whatsoever,” Marczak said. “You can break into phones belonging to people who have good security awareness. The target is out of the loop. You don’t have to convince them to do anything. It means even the most skeptical, scrupulous targets can be spied on.”

Conceptual art of a computer system being hacked.

(Image credit: Getty Images)

What makes zero-click attacks so dangerous

Because of how they are designed, zero-click attacks are nearly invisible to unsuspecting victims, making them much easier to execute than traditional hacking methods. 

Other reasons they can be dangerous, include:

  • Unlike other vulnerabilities, this type of exploit doesn’t need to entice the victim into performing a task.
  • Zero-click attacks can bypass endpoint security, antivirus, or firewall systems.
  • Mobile devices are especially susceptible to attacks
  • Because user interaction isn’t necessary, there are fewer traces of any malicious activity.

Once a zero-click attack is executed on a device, hackers can start collecting information about the user, including their browsing history, camera roll, location, contacts, and whatever else they want. They might also add surveillance software to listen to conversations and use what they find for nefarious purposes.  Sometimes infected devices are used for cyberespionage campaigns.

Some hackers take it further and decide to encrypt user files and hold them for ransom. In this case, the attack is ransomware. When this happens, it's best to contact the authorities before handing over your hard-earned cash. 

Aren’t they the same as zero day attacks?

Often, zero-click attacks rely on zero-day attacks to work. And yet, they aren’t the same. The former is a type of vulnerability that requires no user input. The latter are vulnerabilities that aren’t yet known to a software provider, which makes it less likely a patch is already available to provide a fix. 

An abstract image of digital security.

(Image credit: Shutterstock)

What you can do

You can take steps to better protect yourself from various types of cyberattacks, including zero-click attacks. But unfortunately, as these things go, there is no sure way to protect yourself. 

The Better Business Bureau and National Cybersecurity Alliance say the first thing you can do is make sure the software on your device is up-to-date, including operating systems and apps. In particular, pay special attention to critical software updates and get them installed immediately. You should also avoid clicking on links from unfamiliar sources that might arrive through email or messages. When in doubt, delete the message and never give away personal information. 

Use strong authentication, like two-factor authentication, for account access. The extra layer of security can make it more difficult for someone to gain personal information. Making long, unique, and strong passwords is also essential. 

Because some zero-click attacks are ransomware, it's good to back up your device regularly. With backups, getting back online after an attack is much easier. You should also turn off web browser pop-ups, which sometimes contain vulnerabilities.

Another solution is to delete unnecessary messaging apps on your device.  Do you really need Telegram? How often do you use Facebook Messenger? If you don't use them, remove them from your device. 

Unfortunately, even after an end-user performs each of the steps above, vulnerabilities can remain if manufacturers and software developers aren't on top of it. Therefore, the best solution to resolving zero-click attacks is for these folks to thoroughly inspect code and make the necessary to limit the possibility of exploitable bugs.

An illustration of a 1960s spy with sunglasses and a big coat

(Image credit: Shutterstock / rogistok)

Real world examples of zero-click attacks

There are plenty of examples of zero-click attacks happening in the wild, including many that TechRadar has covered in recent years. 

In April, for example, a zero-click iPhone exploit was discovered in Apple’s iMessage program. It was used by the dreaded Pegasus spyware title from the NSO Group,. The exploit was installed on endpoints belonging to members of the European Parliament, every Catalan president since 2010, as well as Catalan “legislators, jurists, journalists, and members of civil society organizations and their families”.

Another iPhone exploit was discovered in August 2021. Called BlastDoor, the attack took advantage of an undocumented security vulnerability in Apple’s iMessage. It too involved Pegasus spyware.

Three years ago, WhatsApp was hit with a zero-click attack that was triggered by a missed phone call. It allowed attackers to load spyware in the data exchanged between two devices.

Be sure also to check out our reports on the best malware removal tools and best anti-virus programs. These probably won't specifically address zero-click attacks. However, they will add new layers of protection to your devices. 

Bryan M Wolfe

Bryan M. Wolfe is a staff writer at TechRadar, iMore, and wherever Future can use him. Though his passion is Apple-based products, he doesn't have a problem using Windows and Android. Bryan's a single father of a 15-year-old daughter and a puppy, Isabelle. Thanks for reading!