Skip to main content

Home Zero-click attack

Zero-click attack

(also zero-click malware)

Zero-click attack definition

A zero-click attack is a cyberassault that does not require the victim to provide information or engage in any activity. In a zero-click attack, the attacker compromises the victim’s software or device without the victim ever downloading anything, opening an email attachment, or clicking on a link. Perpetrators and nation-state actors usually utilize zero-click attacks to steal sensitive data or perform spy operations. Zero-click attacks are challenging to detect and defend against because users don’t need to have any direct interaction.

Zero-click attack examples

  • Project Raven, 2016. This UAE cyberoperation used espionage platform Karma to attack vulnerable segments of iMessages and hack the iPhones of foreign leaders, activists, and diplomats. Karma infected the phones using special text messages that gathered data like location, photos, emails, and text messages.
  • Jeff Bezos, 2018. In 2018, the Crown Prince sent a WhatsApp video promoting Saudi Arabia’s telecom market to Jeff Bezos that contained a code that attacked emails, messages, and phone calls from Bezos’s iPhone for a few months.
  • WhatsApp breach, 2019. An unknown sender endangered WhatsApp’s security with a single missed call that had spyware inserted into the data, which later got into the device’s software.
  • Apple zero-click, ForcedEntry, 2021. A Bahraini activist faced a zero-click attack that exploited a previously undetected security hole in Apple’s iMessage in the iOS 14.4 and 16.6 software. This vulnerability was used to spread the Pegasus spyware, developed by NSO Group, an Israeli firm, to the activist’s phone. The exploit, which managed to bypass the security software, featured BlastDoor. It was called ForcedEntry.

Preventing zero-click attacks

  • Regular OS, firmware, and app updates
  • Download apps from reliable sources
  • Delete apps you don’t use
  • Use two-factor authentication to access your accounts
  • Use strong and unique passwords
  • Keep your system up to date
  • Prevent pop-ups by adjusting your browser settings