Zero click attacks - No click and still the victim

Pic Source: Koby Kelsey via Unsplash

Cyber risk is constantly on the rise. Cyberattacks have become so sophisticated that users can become victims without having taken action themselves or having made a mistake.

What sounds more like methods from a spy thriller is actually reality. Just last week, it became known that the Pegasus surveillance software was successfully infiltrated onto iPhones - without the user's intervention. Zero day security vulnerabilities in the iMessage software were used as a gateway. But how do zero click attacks work? We provide information in our latest blog post.

Not the first incident with the Pegasus spyware

The Pegasus spyware has been known since 2016. It was developed by the Israeli company NSO Group and is used to spy on Android and iOS devices. The software allows data to be accessed unnoticed and transmitted over the Internet. The use of Pegasus is quite controversial. The company already attracted attention with negative headlines in 2019. At that time, approximately 1,400 human rights activists, journalists and politicians were monitored with Whatsapp spying attacks. According to WhatsApp CEO Cathcart, these attacks were also executed with the help of the Pegasus software. Now the spyware is once again in focus. This time, however, the situation is aggravated by the fact that Pegasus can be infiltrated onto the devices without any human activity at all. With so-called zero click attacks.

The danger of zero-click attacks

This type of attack poses a whole new set of risks. Monika Bubela, Cyber Threat Intelligence Analyst at Perseus, summarizes the state of danger as follows: 

"The biggest threat with zero click attacks is that they require no action from the victim. There is no suspicious link or message for the victim to click on."

Thus, systems can be compromised without any human interaction at all. Just receiving a manipulated message, for example, can be enough to allow attackers to take over smartphones. Even a very attentive user with a well-patched and updated system can easily become a victim.

How do cybercriminals operate?

For zero click attacks, cybercriminals exploit security holes and vulnerabilities they find in the operating system of mobile devices or in the apps installed on the device.

So-called zero day vulnerabilities are particularly interesting. These are security gaps that are not yet known to the creators of the software and have therefore not yet been debugged or patched.

Beware! Only by installing the provided security updates and patches, these vulnerabilities are closed on the own device and an active exploitation of the vulnerabilities by cybercriminals is averted.

(Editor's note. In connection with the Pegasus spyware, experts do not yet give the all-clear that an update to the current iOS 14.7. operating system will stop zero click infiltration).

For experts:

Monika Bubela explains in detail how cybercriminals can ultimately take over mobile devices:

"The malware itself 'jailbreaks' an iOS device without the user's knowledge." In information security, a 'jailbreak' describes the unauthorized removal of usage restrictions on computers or other mobile devices. This means that certain functions that the manufacturer has blocked by default are now available.

"For the Pegasus zero click attack on iOS devices mentioned above, it means that an unauthorized third party gains root access for the iOS device. This means Apple is no longer the sole source of apps, allowing an attacker to download apps not vetted by Apple to the victim's device. Android devices are also vulnerable. Google is aware of this and is trying to provide patches for known malware like Pegasus."

What can you do?

You probably won't encounter zero click attacks in your day-to-day work - at least not yet. However, developments in recent years show that attacks by cybercriminals are becoming increasingly complex. So sooner or later, you may have to deal with zero click attacks more intensively.

In that case, zero click attacks can affect even very attentive users, as already explained. Complete protection is therefore hardly possible, but we would like to point out important protective measures:

  1. Perform updates and upgrades for operating system and installed apps immediately
  2. Download and install apps only from the official iOS and Android app stores.
  3. Read our detailed article on the topic: "How to better protect your smartphone"

Any questions?
We are here for you.

Arrange a free consultation with our IT security experts. We look forward to meeting you.

+49 030/95 999 80 80 (Mon - Fri 09:00am - 6:00pm)