Blog Post View

Demystifying Zero-Click Attacks

We often hear protecting our online privacy requires us to follow security hygiene and beware of phishing and link baits and do not click on suspicious links from untrusted sources and follow best security practices. We also hear that we need to protect our online accounts with strong passwords and 2FA. Keeping up with the latest software patches, installing anti-virus and anti-malware software are all good practices to protect your devices.

What is Zero-Click Attacks

Although staying vigilant about online security, and abiding by security practices will keep us safe in most scenarios but not against zero-click attacks. Zero-Click attacks don't require user interaction, and they are executed automatically when a message, email, or voice call is sent. The user doesn't have to open the message, open an email, or pick up the call in order to be infected with malware injected via a zero-click attack.

The scary part of a zero-click attack is that you may get infected even if you don't do anything. If a malicious actor targets you, you have nothing to combat against zero-click attacks. The zero-click is used on mobile devices, and such devices include iPhone, iPad, and Android phones. Depending on the exploit, an actor may have full control over your phone or have listening capabilities of emails, iMessages, WhatsApp messages, and voice messages. Your phone will be exploited without you knowing it, and this invisibility makes this threat highly dangerous and you may not even notice it if an actor silently listens to your conversations.

Zero-click attacks are penetrated through iMessages, SMS/MMS messages, Whatsapp, Voice Calls, and Emails. The software makers such as Apple, Samsung, and Whatsapp (Facebook) are doing their best to protect against zero-click attacks, but no software is perfect and there are vulnerabilities that can be exploited. Google Project Zero researchers discovered zero-click exploits on iMessages and Android graphics library. Apple is making it harder to use zero-click attacks on their iMessages beginning on iOS 14.5, and Samsung is also doing their best to protect their devices against the mobile attacks. However, there is no foolproof method to protecting devices and they can only make it harder to break.

How does Zero-Click attack work?

Zero-click attacks target apps that provide messaging or calling features because the message has to be delivered to the individual, and the app must parse data before presenting it to the user. Anyone can send a message to the target provided that they have the phone number. An actor generally crafts a specially formed data embedding a hidden text message or image file to inject the code to the target. Upon successfully compromising the target's device, the message used to exploit the device is self-destructed and there is no trace to follow.

Who are the targets?

Given the stealth nature of zero-click attacks, it's hard to identify the actors or victims and they are unnoticed for a long duration of time. There are two primary target groups: (1) Government agencies are using them to monitor criminals and terrorists, and (2) private sector actors are using them to target high-profile individuals and steal valuable information or spy on rivals. Anyone with enough money and connections can hire hackers and spyware vendors to employ the exploits and target anyone. Here are a few high profile individuals infected by zero-click attacks:

  • Amazon CEO Jeff Bezos' iPhone was infected from Whatsapp video message in 2018. The exploit was unnoticed for 7 months, and text messages, emails, and phone conversations may have been leaked.
  • A vulnerability in WhatsApp was discovered in 2019 which allowed a hacker to inject spyware onto a target's phone by calling them with VoIP. This lead to a lawsuit between Facebook, the owner of WhatsApp, and the spyware vendor.


There is no sure way to protect yourself from zero-click attacks. Smartphone manufacturers and software developers must thoroughly inspect the code and limit the possibility of exploitable bugs. Most software companies have code reviews amongst peers and doing their best to minimize the vulnerabilities. Also, inspecting third-party extensions that work with messaging frameworks is a good way to limiting the exploits.

As a user, there isn't much we can do to protect ourselves but chances are that no one will be spying on us unless there is a significant gain they can obtain from intercepting your messages. The best things you can do is keeping your system up-to-date at all times, and apply the patches immediately when they become available.

Share this post

Comments (0)

    No comment

Leave a comment

All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.

Login To Post Comment