Zero-click attacks have become widespread in the last few years. One of the worst things about these breaches is that they don't require any action from the victim. Even worse, they can compromise any type of device, from PCs to Macs, Androids, and iPhones.
Zero-click breaches are highly sophisticated and highly targeted. These attacks can devastate systems, causing massive damage before victims even realize something is amiss. Besides the term «zero-click attack,» people also refer to these actions as «zero-click exploits» or «fully remote attacks.»
What are zero-click attacks?
Unlike other types of hacks, which require some sort of action from a victim, zero-click attacks focus on system vulnerabilities to bypass the existing defense. Even if you have the best antivirus suite, you won't be protected.
Before going any further, we need to make a distinction between the zero-day and zero-click approaches. Zero-day attacks are similar to zero-clicks as they focus on system vulnerabilities. However, unlike the latter, they require some sort of action from the victim. In that sense, zero-click attacks are much more malicious and can target even the most tech-savvy users.
Not only zero-click provides «better» results, but it's also harder to detect. Due to the fact that the other person doesn't have to do anything, it's much harder to figure out what happened. Furthermore, there are fewer traces of harmful activity.
In many ways, these cyberattacks are entirely invisible to the victims. All that a hacker needs to do is find a hole in an app and send a bad code. After that, they can casually browse data on your phone without you ever realizing that something’s happening.
Although the zero-click concept has existed for a while, these attacks have become more widespread in the last few years. This has to do with the increased popularity of mobile devices and the fact they're susceptible to security breaches. Furthermore, given that people keep the majority of their personal data on phones, it’s really easy to exploit the situation.
With this approach, hackers have more direct access to a database, and they don't have to rely on low-success strategies such as phishing.
How does this method work?
Most hacking strategies require some sort of social interaction. To start the process, a person needs to click on a harmful link or install a specific app. This gives attackers an access point to their devices. As mentioned, the zero-click method can completely bypass this and go straight for the data.
When a hacker uses zero-click, they’re actually exploiting flaws in a particular device or app. They can access just about any system by relying on a data verification loophole. In fact, the reason why verification was introduced on our phones, in the first place, was to prevent these intrusions.
Unfortunately, there’s always some vulnerability that has yet to be patched. As long as this flaw exists, hackers can use it to their advantage. Cybercriminals can use zero-day vulnerabilities to implement zero-click attacks.
In most cases, attackers focus on applications with voice calling or messaging features. The reason being is that people use these platforms to receive and send data to external sources, most of which are not trustworthy. Usually, cybercriminals rely on specific types of data like images or hidden text messages for injecting harmful code.
Examples of zero-click attacks
In the last decades or so, there were several cases of devastating zero-click attacks that shook the business world.
The general public was first introduced to this concept in 2010, during DEFCON18. Chris Paget, who was working as a security researcher at the time, has shown the audience how you can exploit GSM, or Global System for Mobile Communications, with messages and phone calls. According to him, the protocol's design was completely broken, creating numerous openings for hackers.
One of the first major zero-click attacks happened in 2015. Android malware, called Shedun, exploited the device’s Accessibility Service to install malicious adware. Shedun could read the text appearing on the screen. It could also scroll through the permission list, check the application installation prompt, and start installations without relying on the users' actions.
An even bigger breach occurred in 2016. An unknown attacker infected the Emirati surveillance tool called Karma. The perpetrator managed to exploit a weakness found within the software's iMessage feature. Malware sent text messages to victims’ phones and emails, and without taking any action, users were instantly infected.
Upon sending the text, the cybercriminal was able to access victims' emails, pictures, locations, and other sensitive data.
As time went on, these breaches became more common. Aside from cybercriminals, state organizations and surveillance companies also started using zero-click attacks to pursue their own agendas. There were also cases where infections were used for accessing users’ location data which, in turn, led to their assassination.
What does a zero-click attack look like?
Here's what an actual attack would look like:
- Hackers find a vulnerability in a victim's app.
- They create a special message that would attack the vulnerability.
- Malicious elements infect the device through emails that use the device's extensive memory.
- Cybercriminals' messages might not even remain on the device, making it harder to track the origin of the attack.
- Upon completing these actions, the hackers can access the data and alter it.
Keep in mind that the nature of the attack can vary based on the specific vulnerability that is being exploited.
Malicious data can take different forms. It can come in the shape of an authentication request, network packet, voicemail, text message, phone call, etc. Most commonly, hackers execute their dirty deeds via WhatsApp, Skype, Telegram, and similar platforms.
There’s another major issue with zero-click attacks. Given that all these apps use people's phone numbers, it's really easy to identify users and determine their geographic location. This makes it much easier to target economic and political entities. As mentioned previously, zero-click attacks were even used for a few assassinations.
However, there are also some positives about zero-click attacks. Specifically, intelligence agencies have started using this approach as a way of monitoring criminal suspects and other people of interest around the globe.
How to protect yourself from zero-click attacks?
Due to the nature of these attacks, it's hard to prevent them. Ideally, you should avoid using messaging apps altogether, but this isn't realistic. Experts recommend that you introduce high-tier cyber-security defense as your best bet for addressing the issue.
Here are the main things you should pay attention to:
- Make sure that all your systems and apps are regularly updated. Although there will always be certain vulnerabilities that hackers can exploit, most companies try to patch them as soon as possible.
- Avoid suspicious apps. If an application isn't verified in the store and there aren't enough reviews, it's much better to stay away from it. Additionally, you should perform a background check on the developer and see if they're a legitimate company. Furthermore, never download apps from unknown platforms.
- Remove all the apps that you’re no longer using. If you still wish to keep them, you should at least block their access to sensitive data.
- Although most people hate multi-factor authentication, this is one of the best ways of protecting yourself from outside intrusions. Authentication is crucial for payment processors, social media, email, and all other sites that you visit regularly.
- You should always use smart passwords. Most notably, you shouldn’t use the same phrase for all your accounts.
- Spam and pop-ups can be extremely dangerous as hackers use them to spread malware. You can block them by installing extensions or changing browser settings.
- Although regular scans won’t necessarily block the attacks, they can address the issue as soon as it appears. Investing some money in quality antivirus protection and anti-malware is always recommended.
- Employees who handle sensitive company information are usually the target of these attacks. Having two phones is always a good idea, especially if you're a business owner or in charge of security. Even if one of them is compromised, you won't endanger all the data simultaneously.
- Create backups whenever you can. For example, you can implement a weekly practice where you will copy-paste all your sensitive data onto an external hard drive. This is especially important if you're a target of a ransomware attack. That way, you can delete the files from your PC without losing anything.
- Avoid “rooting” and “jailbreaking” practices. These actions put you outside Google’s and Apple’s protection.
Although we can’t live like hermits and completely avoid using our phones, we need to be smart when doing so. All these daily actions, such as creating passwords for new sites or performing two-way authentication, should be taken seriously. In most cases, they’re your last of defense against these intrusions.
These rules are essential for businessmen, politicians, and other people of interest. Although zero-click attacks might not be as threatening for everyday users, they're still something you need to consider when using a phone.