Zero Click Attacks – Becoming the victim without a click

Blog Cybersecurity
Pic Source: Koby Kelsey via Unsplash

Cyber risk is constantly on the rise. Meanwhile, cyberattacks have become so sophisticated that users can become victims without having taken action themselves or having made a mistake.

What sounds more like methods from a spy thriller is actually reality. Just last week, it became known that the Pegasus surveillance software was successfully infiltrated onto iPhones – without the user’s intervention. Zero-day security vulnerabilities in the iMessage software served as the gateway. But what exactly is behind zero click attacks? We provide information in our latest blog post.

Not the first incident with the spyware Pegasus

The Pegasus spyware has been known since 2016. It was developed by the Israeli company NSO Group and is used to spy on Android and iOS devices. The software allows data to be accessed and sent over the Internet without being noticed. The use of Pegasus is quite controversial. The company already attracted attention with negative headlines in 2019. At that time, approximately 1,400 human rights activists, journalists and politicians were monitored with Whatsapp spying attacks. According to WhatsApp CEO Cathcart, these attacks were also carried out with the help of Pegasus software. Now the spyware is once again in focus. This time, however, the situation is aggravated by the fact that Pegasus can be infiltrated onto the devices without any human activity at all. With so-called zero-click attacks.

The danger of zero-click attacks

This type of attack poses a whole new set of risks. Monika Bubela, Cyber Threat Intelligence Analyst at Perseus, summarizes the threat landscape as follows:

“The biggest threat with zero click attacks is that they require no action from the victim. There is no suspicious link or message for the victim to click on.”

Thus, systems can be compromised entirely without human interaction. Just receiving a manipulated message, for example, can be enough to allow attackers to take over smartphones. Even a very attentive user with a well-patched and updated system can easily become a victim.

How do cybercriminals go about it?

For zero-click attacks, cybercriminals exploit security holes and vulnerabilities they find in the operating system of mobile devices or in the apps installed on the device.

So-called zero-day vulnerabilities are of particular interest. These are security vulnerabilities that are not yet known to the manufacturer of the software and have therefore not yet been mitigated or patched.

Attention. These vulnerabilities are only closed on the user’s own device and active exploitation of the vulnerabilities by cybercriminals is only prevented by installing the security updates and patches provided.

(Editor’s note. In connection with the Pegasus spyware, experts do not yet give the all-clear that an update to the current iOS 14.7. operating system will prevent zero click propagation).

For experts:

Monika Bubela explains in detail how cybercriminals can ultimately take over mobile devices:

“The malware itself ‘jailbreaks’ an iOS device without the user’s knowledge.” In information security, a ‘jailbreak’ describes the unauthorized removal of usage restrictions on computers or other mobile devices. That is, certain features that the manufacturer has locked by default are now available.

“For the above zero click attack by Pegasus on iOS devices, it means that an unauthorized third party gains root access for the iOS device. This means Apple is no longer the only source of apps, allowing an attacker to download apps not vetted by Apple to the victim’s device. Android devices are also vulnerable. Google is aware of this and is trying to provide patches for known malware like Pegasus.”

What can you do?

You probably won’t come into contact with zero-click attacks in your day-to-day work – at least not yet. However, developments in recent years show that attacks by cybercriminals are becoming increasingly complex. So sooner or later, you may have to deal with zero click attacks more intensively.

In that case, zero click attacks can affect even very attentive users, as already explained. Therefore, complete protection is hardly possible, but we would like to point out important protective measures:

  1. Perform updates and upgrades for the operating system and installed apps immediately.
  2. Only download and install apps from the official iOS and Android app stores.
  3. Read our detailed article on the topic: “How to better protect your smartphone”.