👨‍💻 Berkan's Blog

Understanding Zero-Click Attacks

Published by Berkan K. on February 2, 2024

book 4 min read

If someone ever told you about that you could get hacked by simply opening an email, you probably would think they were crazy. But it’s actually very possible. In fact, it’s so common that it’s been called the “zero-click attack”.

What Are Zero-Click Attacks?

A zero-click attack is an exploit that requires no interaction from the victim.


You don’t click a link.
You don’t open a file.
You don’t even notice anything happened.


Thats because the attacker abuses a vulnerability in software that automatically processes incoming data. Just receiving a message, call, or packet can be enough to trigger malicious code.

How Do These Attacks Work?

Zero-click attacks usually rely on bugs deep inside software that handles data automatically.


Common attack paths include:

  • Messaging Apps: Bugs in image, video, or message parsing can be exploited as soon as content is received.

  • Operating System Flaws: Memory corruption bugs like buffer overflows or use-after-free vulnerabilities allow remote code execution.

  • Network Protocols: Malformed packets sent over the network can trigger vulnerabilities without user involvement.


Because everything happens in the background, the victim often has no idea their device is compromised.


By crafting payloads that exploit these vulnerabilities, attackers can gain unauthorized access to devices, steal sensitive information, or even take full control over the system without any direct action from the victim.

Real-World Examples

One of the most well-known examples is Pegasus, spyware developed by NSO Group. It used zero-click exploits on smartphones to spy on journalists, activists, and political figures.


Another case is FORCEDENTRY, which targeted Apple’s iMessage. Simply receiving a message was enough to compromise the device and install spyware.


Another example is the WhatsApp vulnerability exploited by attackers in 2019 to install surveillance software on phones simply by calling the target’s number, even if the call was not answered.

Why Zero-Click Attacks Are So Hard to Deal With

The biggest problem with zero-click attacks is how invisible they are.


They often leave very few traces.
They commonly rely on zero-day vulnerabilities.
They don’t need social engineering or user mistakes.


That makes detection, investigation, and prevention extremely difficult, even for experienced security teams.

Can We Defend Against Them?

Well yes but actually no

So is it even possible to defend against them? Well, an honest answer would be: not perfectly.

If a zero-day vulnerability exists in widely used software, there’s very little an individual user can do to fully stop it. But you can reduce your exposure and risk by following best practices:

  • Keep your operating system, firmware, and apps on all your devices updated.
  • Only download apps from official stores.
  • Delete any apps you no longer use.
  • Avoid “jailbreaking” or “rooting” your phone since doing so removes protection provided by Apple and Google.
  • Use strong authentication to access accounts, especially critical networks.
  • Use strong, unique passwords
  • Back up important data regularly
  • Enable pop-up blockers or prevent pop-ups from appearing by adjusting your browser settings

While none of these are magic fixes, together they can significantly lower your risk of falling victim to a zero-click attack.

Author
profile
Hello, I'm a 25-year-old Software Engineer based in Denmark, specializing in Cybersecurity and
Fullstack Development.

Beyond programming, I enjoy sharing my journey and insights through writing, aiming to contribute to the tech community and inspire like-minded professionals.

Post Details Category