Zero-click malware attacks have often made their way into the headlines in recent years. As this name suggests, zero-click attacks need no action from the targeted victim. It means that even the most advanced users can fall victim to these serious cyber hacks and spyware tools.
In most cases, zero-click attacks are normally highly targeted and they use sophisticated tactics. They can cause severe consequences without even the victim knowing that something somewhere is wrong in the background. The terms ‘zero-click exploits’ and ‘zero-click attacks’ are mostly used interchangeably. Other times, they are referred to as fully remote or interaction-less attacks.
Zero-Click Malware Defined
In the past, spying software relies heavily on convincing the targeted person to click on a compromised link or file. The malware then installed itself on the victim’s tablet, phone, or computer.
Nonetheless, with a zero-click attack, the software is installed on a device without even the victim clicking on any link. Due to that capability, zero-click malware or no-click malware is believed to be more dangerous.
Related:Ransomware: Prepare for hackers launching even more destructive malware attacks
The minimal interaction involved in the zero-click malware attacks means that there are fewer traces of any malicious activity. This, and the fact that the vulnerabilities that cybercriminals can exploit for zero-click attacks are rare, making them great targets for attackers.
Even the simple zero-click malware attacks leave a minimal trace, meaning that any chance of detecting them is quite difficult. Moreover, the same features that make software highly secure can also make zero-click attacks difficult to detect. Zero-click malware attacks have been around for many years. But, the issue seems to have become more widespread with the massive use of smartphones that store lots of personal data.
As people and organizations become more reliant on their mobile devices, the need to remain informed about zero-click issues and vulnerabilities has never been bigger.
How A Zero-Click Attack Works
Normally, remote infection of a target’s mobile device needs some type of social engineering. In that case, the user has to click on a malicious link or install a malicious app to give the hacker an ideal entry point. That is not the case with zero-click attacks that bypass the need for social engineering entirely.
A zero-click hack is designed to exploit the flaws in the victim’s device, utilizing a data authentication loophole to work its way into the system. Most of the software available in the current market uses data verification processes to keep most of the cyberattacks at bay.
Nevertheless, there are some persistent zero-day attacks that are yet to be patched. They present possibly lucrative targets for cybercriminals. The experienced hackers can easily exploit the zero-day vulnerabilities to launch cyber-attacks that can then be implemented without any action needed on the part of the targeted victim.
In most cases, zero-click malware attacks target the apps that offer messaging and voice calling since the services are created to receive and interpret data from untrusted sources. The criminals utilize specially formed data, including a hidden text message or image file, to introduce code that compromises the device.
A normal hypothetical zero-click malware attack works this way:
- The criminals identify an existing vulnerability in a mail or messaging app.
- These hackers then exploit the vulnerability by sending a carefully designed message to the target.
- The discovered vulnerability enables the malicious actors to infect the device remotely through emails that consume a lot of memory.
- The criminal’s email, message, and calls do not necessarily remain on the device.
- As a result of this attack, cybercriminals can edit, read, leak, and delete messages.
The hack can come as a series of network packets, validation requests, voicemail, MMS, text messages, phone calls, video conferencing sessions, and messages sent over Skype, WhatsApp, and Telegram.
All of these can readily exploit an existing vulnerability in the code of an application that is responsible for processing data. The fact that messaging applications enable people to be identified using their phone numbers that can be located easily, means that they can become easy targets for political groups and commercial hacking operations.
The particulars of every zero-click attack vary according to which vulnerability is getting exploited. A major trait of zero-click hacks is their ability not to leave behind any traces, which makes them very challenging to detect.
It means that it is hard to determine who is using the zero-click attacks and for what purpose. Nonetheless, it is reported that intelligence agencies throughout the world use them to intercept messages from and monitor the locations and activities of suspected terrorists and criminals.
Examples Of Zero-Click Malware Attacks
A zero-click vulnerability can easily affect a variety of devices, ranging from Android to Apple. High profile examples of zero-click exploits include:
Apple Zero-Click, Forced Entry, 2021:
Last year, a Bahraini human rights activist reported that their iPhone was hacked by powerful spyware sold to nation-states. This hack was discovered by a group of researchers at Citizen Lab, an internet watchdog that is based at the University of Toronto. It had managed to defeat security protections that are put in place by Apple to withstand various covert compromises.
The researchers analyzed the activist’s iPhone 12 Pro and discovered that it had been hacked through a zero-click attack. This zero-click malware attack exploited a previously unknown security vulnerability in Apple’s iMessage that was used to push Pegasus spyware that was developed by the Israeli company NGO Group, to the activist’s phone.
That hack attracted lots of news coverage, mostly because it exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6 that Apple released in May 2021. Notably, the hackers managed to use the zero-click attack to overcome a security software feature integrated into all of the versions of iOS 14, known as BlastDoor.
BlastDoor was meant to prevent this type of device hack by getting rid of all malicious data sent over iMessage. As a result of its ability to neutralize and overcome BlastDoor, the exploit was referred to as ForcedEntry. While responding to this incident, Apple upgraded its security defenses with iOS 15.
WhatsApp Breach In 2019
The infamous breach was launched through a missed call that exploited an existing vulnerability in the source code infrastructure of WhatsApp. A zero-day exploit, which was a previously unknown and unresolved cyber flaw, enabled the attacker to load spyware in the data exchanged between two devices as a result of the missed call.
After loading, the spyware enabled itself as a background resource, deep in the device’s software infrastructure.
Jeff Bezos, 2018
In 2018, Crown Prince Mohammed bin Salman of Saudi Arabia is said to have sent Amazon CEO Jeff Bezos a WhatsApp message that had a video promoting Saudi Arabia’s telecom market. Based on analysis reports, there was a code within the video file that allowed the sender to extract information from Bezos’ iPhone over several months.
The compromise resulted in the capture of many instant messages, text messages, and emails. Experts and analysts also believe that the hacker even eavesdropped on recordings taken with the phone’s microphones.
Related: Guardian: Saudi prince’s account used to hack Jeff Bezos via WhatsApp
Project Raven, 2016
Project Raven is the United Arab Emirates’ offensive cyber operations unit. It consists of former US intelligence operators and Emirati security officials working as contractors. Allegedly, they used a Karma tool to exploit a flaw in iMessage.
Karma used expertly designed text messages to hack into the iPhones of diplomats, activists, and rival foreign leaders to get text messages, emails, photos, and location information.
Related: LokiBot malware now hides its source code in image files
How To Protect Yourself From Zero-Click Malware Attacks
Since zero-click malware attacks are based on no required interaction from the victim, many say that there is not a lot one can do to protect themselves. While that is a disturbing thought, it is critical to remember that, generally, the attacks seem to be targeted at particular victims maybe for monetary gain or for espionage purposes.
With that in mind, installing security tools and practicing simple cyber hygiene helps users maximize their online safety. Here are some precautions that you can take:
- Ensure that you delete all the apps that you no longer use.
- Enable pop-up blockers and prevent pop-ups from appearing by adjusting your browser settings. Previous studies discovered that scammers often use pop-ups to spread malware.
- Keep your firmware, operating system, and apps on all your gadgets updated as prompted by legitimate service providers.
- Use strong passwords – experts advise that you use long and unique passwords that cannot be compromised easily.
- Always use your device password for protection.
- Only download the apps that you need from official stores.
- It is advisable to use strong validation to access accounts, mostly the critical networks.
- Always backup all your systems. You can possibly restore your systems in cases of ransomware. Thus, having an updated backup of all data speeds up the recovery process.
- Avoid ‘rooting’ or ‘jailbreaking’ your mobile device because doing that eliminates the protection offered by Google and Apple.
Using a strong and comprehensive antivirus helps in keeping the users safe online. The best antivirus needs to offer 24/7 protection against viruses, spyware, hackers, and zero-click malware attacks. Furthermore, it should offer payment protection and privacy tools that protect the users from all angles. Kaspersky Total Security and Kaspersky Internet Security for Android are some of the popular antiviruses.