Zero Click Exploit

What is a zero-click exploit?

A zero-click exploit is a malicious attempt to find vulnerabilities in a specific person’s device, infect it with malware, spyware, etc. Zero-click exploits are designed to remain in stealth mode while taking control of the device. As the name implies, a zero-click exploit is a type of cyberattack that infects devices without any help from the victim.

How zero-click attacks work

Instead of using social engineering to manipulate victims, zero-click attacks take advantage of the vulnerabilities within the operating system (OS) of the victim’s device. Zero-click attacks rely on the loopholes of device OS and software apps that parse data, such as iMessage and WhatsApp. Mobile devices and software apps have security settings that support data parsing to verify and determine if the source can be trusted. Zero-click exploits take advantage of these settings to sneak into a victim’s device.

A typical zero-click attack works like this:

• A hacking group discovers a vulnerability in a device or an instant messaging app, e.g., WhatsApp
• They write a code for a zero-click attack and disguise it in a GIF or video
• The attacker acquires the zero-click attack program
• The attacker gets their target’s phone number, email address, or Apple ID
• They create and send a malicious zero-click message to the target’s device
• The vulnerability in the device or instant messaging app allows the zero-click attack to access and infect the target’s device
• The zero-click attack installs itself and gains remote control of the device
• The attacker then deletes the message that infected the device to prevent the victim from tracing the attack
• The zero-click attack starts implementing the purpose for which it was designed, perhaps to collect the victim’s data — text messages, calls, etc.

Popular zero-click exploits

Let’s discuss some of the most popular zero-click attacks over the years, including the one linked to the death of a journalist in 2018.

Pegasus spyware

Pegasus is a zero-click attack program created by an Israeli firm known as the NSO Group. Pegasus is a powerful program that can access text messages, the device’s mic and camera, track calls and victims’ locations, and collect data from the apps on the victim’s device.

The Citizen Lab and Amnesty International worked on many Pegasus attacks, some of which were linked to murders, including the death of a Washington Post journalist, Jamal Khashoggi. According to Citizen Lab, a UAE government agency tried to install Pegasus on the Android phone owned by Hanan Elatr, Jamal’s wife. Amnesty International also noted that the attacker used Pegasus spyware to send five SMS text messages to Hanan Elatr in November 2017 and a sixth one in April 2018.

Since Pegasus zero-click exploit can access text messages and track the victim’s location, the Washinton Post suggests that the spyware monitored the chat between Hanan and Jamal. As a result, Jamal’s location might have been exposed to the attackers, leading to his murder on October 2nd, 2018.

Apple flaws

Since zero-click attacks gained popularity, Apple has had to respond to a few no-click hacks that exposed iPhone users to attackers and compromised their safety.

In 2021, Citizen Lab discovered that the iPhone 12 Pro of a Bahraini human rights activist had been hacked with the help of a zero-click exploit. The attacker took advantage of a zero-day vulnerability in the latest iOS version (iOS 14.4 and iOS 14.6 later) at the time.

The bug in the iOS versions allowed the attacker to use Pegasus to breach Apple’s data protection technology, BlastDoor, and infect the Bahraini activist’s iPhone. Apple confirmed that the attacker took advantage of a zero-day vulnerability in iOS and macOS, precisely in the image rendering library of Apple devices called CoreGraphics. Apple released a security patch in the next iOS (iOS 15) in September 2021, fixing the vulnerability.

Another zero-click attack event worthy of mention is the Project Raven case that started in 2016. Project Raven is the codename of a UAE hacking unit comprised of Emirati police officials and retired US intelligence working as contractors. Project Raven used Karma, a zero-click attack program, to exploit a flaw in Apple’s iMessage, targeting 100s of people, including current Qatar monarchy ruler, Emir Sheikh Tamim bin Hamm al-Thani.

WhatsApp

WhatsApp filed a complaint against the NSO Group, and Q Cyber in 2019, alleging that they spread malware to 1,400 mobile phones via WhatsApp servers targeting activists, journalists, etc. Like the Bahraini activist case, the attacker also exploited a zero-day vulnerability in WhatsApp to infect over a thousand mobile phones with zero-click spyware, Pegasus, and Candiru. Although the court case is ongoing, WhatsApp has since patched the zero-day vulnerability that led to the attack and informed the 1,400 users.

Jeff Bezos has also been a victim of a zero-click attack that infected his iPhone via WhatsApp in 2018. According to Motherboard's report of the attack, the Crown Prince of Saudi Arabia, Mohammed bin Salman, sent Bezos a video file on May 1st, 2018. It was a telecom promotional video in Arabic, but it contained an encrypted downloader that installed spyware into Bezos’ phone gathering his information for months.

Who is the NSO group?

The NSO Group is an Israeli cyber intelligence firm created by three men, Niv Karmi, Shalev Hulio, and Omri Lavie. NSO Group created the world’s most notorious spyware, Pegasus, which has been used by governments of the US, Djibouti, Poland, India, etc. NSO Group markets Pegasus as a tool to catch terrorists and dangerous criminals. For example, Mexico used it to capture cartel boss Joaquin Guzman, the famous El Chapo.

However, Pegasus has also been used by tyrants and unethical intelligence bodies to infringe upon the privacy of upstanding citizens like journalists and women’s rights activists. Mexico, Saudi Arabia, and the UAE have all been linked to Pegasus attacks that involved human rights abuses, yet the CIA and FBI each bought one Pegasus program in 2019.

How do you know if you’ve been targeted?

Although, given the high cost and complex code, there’s a low chance that the average person will fall victim to a zero-click attack. However, we can’t rule out the possibility.

How to see if your phone has been targeted by a zero-click exploit:

1. Check your phone network logs for any outlying domains or IP addresses.
2. If you find any remote domain or IP address in your phone logs, your device has probably been infected with a zero-click attack program, which might even be the Pegasus spyware
3. At this point, there isn’t much you can do except erase the device and get a new one
4. You can also contact a reliable cybersecurity firm equipped to run deep analytics of your device to discover how the zero-click attack infected it. This might let you know who to be wary of, like in the case of Jeff Bezos vs. the Crown Prince of Saudi Arabia.

How to protect yourself from zero-click attacks

Despite the stealthiness of zero-click attacks, you can mitigate the risks if you ever become a target of a computer exploit by practicing these ironclad cybersecurity measures.

• Update devices
• Back up all your devices regularly
• Delete all apps you don’t use
• Stay away from “jailbreaking” or “rooting” your phone
• Download apps from official stores
• Use multi-factor authentication
• Enable password protection/face recognition/fingerprint scanner on your device
• Don’t open email attachments
• Don’t click links (URLs) in emails unless you know who sent the URL
• Use a firewall
• Install an antivirus program
• Use two smartphones - one for work and the other for personal life

Update devices

Device manufacturers and legitimate app developers constantly audit their operating systems (OS) and software apps to find any loopholes that can expose users to security risks. Once they find such loopholes, they develop security patches and include them in the next OS or software updates. Therefore, update your devices and software apps regularly, especially apps that receive data and messaging apps like WhatsApp and Telegram.

Back up all your devices regularly

Although zero-click attacks are not necessarily known for deleting or corrupting the data on the target device, you risk losing your data if your device gets infected. Remember, the ultimate solution for a zero-click attack is to erase the device and get a new one. Hence, backing up your data regularly will make it easier to manage.

Delete all apps you don’t use

You’re more likely to stop updating an app you no longer use. As a result, the app will have an old software version that doesn’t contain the latest security patches and can expose your device to zero-click attacks. Check your devices regularly for the apps you rarely use or have stopped using, and uninstall them, especially apps that receive data, such as Telegram.

Stay away from “jailbreaking” or “rooting” your phone

Jailbreaking or rooting your phone can disrupt or remove built-in security technologies that are supposed to protect it against malicious code. It also allows the phone to install verified and unverified software apps from unauthorized third-party app stores, exposing it to risks such as zero-click attacks. So, avoid jailbreaking or rooting your phone, and don’t buy an already jailbroken or rooted device.

Download apps from official stores

App stores on iOS, Android, Windows, Mac, and Linux scrutinize apps and their developers before distributing software. They do this to ensure that the apps they distribute to users are legitimate and contain little to zero glitches that can cause security risks. You can’t be sure of the same level of commitment from third-party app stores, so avoid downloading apps from unofficial app stores.

Use multi-factor authentication

In the event of a zero-click attack, enabling multi-factor authentication on your accounts can frustrate the attacker’s attempt to log into your online accounts. Since multi-factor authentication forces you to authorize a login attempt into your account in different ways, including entering a one-time password (OTP), the attacker may not have such access. Therefore, while an attacker might have hacked into your device, they may be unable to log into your banking platform or hack into your accounts on platforms like LinkedIn.

Enable password protection/face recognition/fingerprint scanner on your device

Enable password protection on your devices, and if your device supports classic numeric/alphanumeric password protection, face recognition, and fingerprint scanner, use all of them. Avoid using the same password across multiple devices or using the same password when you replace devices from old to new. Instead, create a strong password that can’t be easily guessed for each device — you can also use a password generation tool to create a strong password.

Don’t open email attachments

Never allow curiosity to get the best of you when you receive an email with attachments from an unknown or untrusted sender. When you open an email, carefully read the subject, body, and sender’s address to confirm that they are someone you know. Cybercriminals can create an email address similar to the email address of someone you trust, so only open email attachments after confirming it’s from someone you trust.

Don’t click links (URLs) in emails unless you know who sent the URL

Similar to email attachments, cybercriminals have sent countless malicious links via emails to unsuspecting people who clicked and got hacked. Be cautious about clicking links (URLs) from within the email app, even if it’s from someone you trust. Instead of clicking a link directly from the email, type the URL manually or copy and paste it into your browser.

Use a firewall

All major OS have built-in firewalls that create a security barrier and protect against malicious traffic into your device. Additionally, you can install a network address translation (NAT) firewall at the network level to hide the IP addresses of the devices on your network. A NAT firewall gives you an additional protection layer that can block communication with malicious devices online.

Install an antivirus program

Installing an antivirus on your device gives you the necessary protection when you engage with malicious content. So, install reliable antivirus software from a legitimate provider, and update it regularly to enjoy complete protection against security risks.

Antivirus is certainly one of the must-have tools for your device. However, in order to fully protect yourself from anyone sniffing around your personal life, try Clario’s AntiSpy solution. Clario offers an anti-spy suite with personalized features for mobile users and an all-around cybersecurity solution for your Mac. Try Clario now.

Use two smartphones — one for work and the other for personal life

If you are involved in a sensitive project or work in a field that can make you a high-profile cyberattack target, use two smartphones. Use one phone for your personal affairs and the other exclusively for your work, and ensure that your work identity and personal identity are separate. This will make it difficult for cybercriminals targeting you with zero-click exploits to access delicate information about you, such as your real-time location.

Conclusion

Contrary to the belief that iOS is more secure than Android and less prone to cyberattacks, iPhone users have had their fair share of zero-click attacks. There’s no iOS vs. Android security battle in the fight against cyberattacks, certainly not with zero-click exploits. Create a secure barrier to protect your devices and online accounts against zero-click attacks with Clario.