Zero-click cyber-attacks on mobile devices. Yep, they are real. They’ve happened within the recent past (i.e., last year), and they will likely happen again. But are zero-click attacks cause for the everyday mobile device user to worry about? Not likely; but be aware of what they are, how they are being used, and what you can do.
What Is A Zero-Click Cyber-Attack?
Zero-click attacks are fully remote cyber-attacks that provide access to the attacked smartphone in real time, and without interaction from the target. In other words, the attack can take place without a click on a malicious website or malicious app. These types of zero-click attacks tend to leverage apps that provide a form of messaging or voice calling because, by design, these apps receive and parse data from multiple sources on a regular basis. This means a hidden text message, image or call can inject a code into the target’s mobile device, compromising the device.
How Are Zero-Click Attacks Being Used?
Zero-click attacks are impactful, difficult to defend against and typically very targeted. This means that zero-click attacks tend to target a very small portion of the population, “high-value” targets. The typical intent of this type of mobile spyware is to fight crime and terror attacks, and by government operatives.
In 2020 however, a zero-click attack targeted the personal phones of around three dozen journalists, producers, anchors, and executives at Al Jazeera, a media network in Qatar. In this case, the exploit came in the form of an iMessage and was originated by government operatives. These operatives utilized the NSO Group’s Pegasus spyware, which is a mobile phone surveillance solution.
Once a zero-click attack is initiated, they are typically pretty successful. This is partially because no action is needed on the part of the contact being attacked. The attacks are extremely difficult to prevent, even by those trained to prevent these types of attacks. In addition, zero-click attacks are difficult to track after they have been implemented.
What Can You Do To Prevent A Zero-Click Attack?
The majority of the responsibility for preventing zero-click attacks falls on the smartphone manufacturers and app developers. It is imperative that they work to limit the opportunities for exploitable bugs on devices and apps. The best thing every mobile phone user can do is to keep their devices operating systems up-to-date, and ensure that bugs are patched. Doesn’t sound like much, but that is your best course of prevention.
If you believe you are part of that “high value” target group (again, a very small group of the population), then err on the side of caution and assume tracking in place. Use a form of audio masking to prevent attackers from learning about your conversations, or from capturing images of your surroundings. In addition, use an RF shielding device when traveling. This can minimize how much location information is being leaked.
Should You Be Concerned About Zero-Click Attacks?
As a regular mobile device user, you are unlikely to become a victim of a zero-click attack. But, it is important that you are aware that these types of attacks are real. And that their use appears to be targeting outside the “crime and terror” targets.
Staying informed is key when it comes to cybersecurity, and that applies to zero-click attacks as well.