Skip content

An introduction to zero-click attacks

Cybersecurity is a constant battle as there are always new threats to consider and safeguard against. With companies and individuals storing an incredible amount of personal and business data on their devices, keeping this information protected requires rigid security practices.

However, one of the most challenging cyber threats to prevent is zero-click attacks. These are especially dangerous because, unlike more common cyberattacks, a victim’s devices can be compromised without them ever knowing. So, what can be done? 

Here, we explore how to recognise these malicious malware attacks while offering tips that help prevent your devices from being exploited.

What is a zero-click attack?

Malware is one of the most prevalent ways hackers gain access to a system. Typically, this malicious software installs itself on a computer or mobile device after the user clicks on a disguised link or attachment designed to infect the system. Even opening a Word document can result in zero-click attacks.  

While countless people fall victim to malware, proper training and education ensure employees can recognise and avoid these attacks. However, zero-click cyberattacks are an enormous threat because they require no interaction at all to install themselves.

Where many cyberattacks rely on social engineering to compromise an internal network, zero-click attacks can enter your device at any time. The lack of detection means cybercriminals can be impossible to track, even if your team discovers the attack.

How do zero-click attacks work?

The most common targets for a zero-click attack are apps with messaging and voice-calling features. As services such as WhatsApp and iMessage receive and parse data from unknown sources, code hidden inside communication – ranging from text messages and emails to image files – can exploit a vulnerability at the hardware or software level.

Popular video conferencing platform, Zoom, had to resolve a bug which exploited a victim’s device by sending Extensible Messaging and Presence Protocol (XMPP) messages over chat. If successful, an attacker can connect with malicious servers and contribute to attacks such as spoofing messages. Zoom has since advised Windows, macOS, iOS, and Android users to update to the latest version (5.10.0) of its software.

As many of the most popular messaging services feature end-to-end encryption, the content of data packets sent via these services is unknown to everyone but the sender and receiver. This means detecting a zero-click attack becomes even more complicated.

In addition, zero-click attacks often install and delete themselves without any evidence being left behind. With these exploits being developed by incredibly skilled hackers, defending the contents of your email or text messages is difficult. However, there are ways to mitigate risk for employers and employees alike.

How to limit your risk of zero-click cyberattacks

Zero-click attacks are so dangerous because they exploit invisible vulnerabilities within our devices. One well-known example discovered in September 2021 was the Pegasus malware, which allowed hackers to turn iPhones, iPads, MacBooks, and Apple Watches into listening devices via code hidden in a PDF file. However, once the threat was discovered, Apple released a patch that stopped this avenue of attack.

With this in mind, always keep your devices and browsers updated with the latest software. As these updates shut down vulnerabilities, failing to update leaves you at risk of already patched exploits. Meanwhile, you should only download trusted apps from official stores created by reputable companies.

Other smart cyber hygiene habits that limit your risk include deleting old apps that you no longer use. Even if these services were once safe, malicious actors can compromise them in the future. Plus, you should always use strong passwords and two-factor authentication while conducting frequent data backups to reduce your exposure.

Choose the best-managed security services

Zero-click attacks are a concern for businesses, although these complex threats are usually reserved for only the highest-profile targets. By adopting comprehensive data security standards, you will protect your organisation and its employees against these and many other cyberattacks.

You can also partner with LRQA for CREST-approved managed security services. Our global specialists are trusted to safeguard data held by many of the world’s leading companies. Get in touch with our cybersecurity experts to learn how we can help.