Welcome to ITS! Learn more about our strategic partnership with Digital Seattle!

ITS San Francisco

By: ITS San Francisco on February 17th, 2022

Print/Save as PDF

What are Zero-Click Attacks, and Should I be Concerned?


Zero-click attacks are cyber-attacks on mobile devices. And yes, they are real. They’ve happened within the recent past, and they will likely happen again. But are zero-click attacks a reason for everyday mobile device users to worry about?

Not likely; but be aware of what they are, how they are being used, and what you can do.

What Is A Zero-Click Cyber-Attack?

Spyware alert on mobile phone

Zero-click attacks are fully remote cyber-attacks that provide access to the attacked smartphone in real-time, and without interaction from the target. In other words, the attack can take place without a click on a malicious website or malicious app. These types of zero-click attacks tend to leverage apps that provide a form of messaging or voice calling because, by design, these apps receive and parse data from multiple sources on a regular basis. This means a hidden text message, image or call can inject a code into the target’s mobile device, compromising the device.

How Are Zero-Click Attacks Being Used?

Zero-click attacks are impactful, difficult to defend against, and typically very targeted. This means that zero-click attacks tend to target a very small portion of the population, the “high-value” targets. The typical intent of this type of mobile spyware is for government operatives to fight crime and terror attacks.

In 2020, however, a zero-click attack targeted the personal phones of around three dozen journalists, producers, anchors, and executives at Al Jazeera, a media network in Qatar. In this case, the exploit came in the form of an iMessage and was originated from government operatives. These operatives utilized the NSO Group’s Pegasus spyware, which is a mobile phone surveillance solution.

Once a zero-click attack is initiated, they are typically pretty successful. This is because no action is needed on the part of the contact being attacked.  The attacks are extremely difficult to prevent, even by those trained to prevent these types of attacks. In addition, zero-click attacks are difficult to track after they have been implemented.

What Can You Do To Prevent A Zero-Click Attack?

mobile software update

The majority of the responsibility for preventing zero-click attacks falls on the smartphone manufacturers and app developers. It is imperative that they work to limit the opportunities for exploitable bugs on devices and apps. The best thing every mobile phone user can do is to keep their device's operating systems up-to-date and ensure that bugs are patched. Doesn’t sound like much, but that is your best course of prevention.

If you believe you are part of that “high value” target group (again, a very small group of the population), then err on the side of caution and assume tracking is in place. Use a form of audio masking to prevent attackers from learning about your conversations, or from capturing images of your surroundings. In addition, use an RF shielding device when traveling. This can minimize how much location information is being leaked.

Should You Be Concerned About Zero-Click Attacks?

As a regular mobile device user, you are unlikely to become a victim of a zero-click attack. But, it is important that you are aware that these types of attacks are real.  And that their use appears to be targeting outside the “crime and terror” targets.

Staying informed is key when it comes to cybersecurity, and that applies to zero-click attacks as well. Staying on top of the latest cybercrime trends and prevention technologies will also prove useful. We at Intelligent Technical Solutions can help you do both and more. Contact us today!

The Whys and Hows of an Engaging Cybersecurity Awareness Training Program