You might have heard about the zero-day attacks before. These cyberattacks don’t require user intervention as a trigger. When the code hits your device, the attack will be executed automatically. You should know that these are nasty attacks. Therefore, everyone must be aware of this. These attacks use sophisticated tactics and can cause devastating consequences where the victim does not even know what happened in the background. People use these terms, ‘zero-click attacks’ and ‘zero-click exploits’ interchangeably. We call them interaction-less or fully remote attacks also. This article will let you know about zero-click attacks, how these attacks work, how to protect yourself, etc.
What is Zero-Click Exploit Malware?
It is a type of attack that takes advantage of software vulnerabilities without user interaction. The exploit may install malware Or perform malicious interaction on the device of the user by exploiting the vulnerability.
Traditionally, spying software works by convincing people first so that they tap on a compromised link or file to install itself on mobile, tablet, or PC. But in this case, the victim doesn’t need to click on the link, as the software will be installed on the device without the need of clicking on the link. Therefore, it can be said that zero-click malware or no-click malware are more harmful.
These attacks include low interactions indicating lesser traces of any malicious activity. In addition, vulnerabilities that cybercriminals exploit for zero-click attacks are quite rare. The basic version of zero-click attack leaves hardly any traces due to which detecting them is hard. The same features that make software more protected and secured, can make these attacks harder to identify. While these attacks have been done around for years, the use of mobiles has increased the issue more. Let’s know how it works.
How does a Zero-Click Attack Work?
This hacking process exploits flaws in your device. It uses a data verification loophole for working its way into the system. In most cases, the software uses data verification procedures to keep cyber breaches away. Sophisticated hackers are able to exploit these vulnerabilities for the execution of cyber-attacks.
The process of working a hypothetical zero-click attack is as follows:
- Bad actors try to detect vulnerability within a mail or messaging application.
- They send a meticulously crafted message to the specific device to exploit the vulnerability. Attackers generally use specially formed data. For instance, they use a pixel or a hidden text message, allowing them to enter the compromising code onto the device. It may be a video conferencing session, voicemail, an authentication request, or a phone call. Any of the above may act as a vector for exploiting vulnerability in any app which can process data & evaluate it. With malware, spyware, trojans, etc., attackers can infect the targeted device remotely using the vulnerability.
- As soon as hackers infect the device, they access the device’s contents and gain complete control over this. Attackers are able to send messages on behalf of users by impersonating them.
- When the victim understands that someone has hacked them, it is too late because the attack has been done. Users can not find any trace of the attacker’s compromising message.
- It is hard to pin down the specifics of this type of attack.
Pegasus Spyware and Other Popular Zero-Click Exploits:
While these attacks have become popular recently, they have been present for a long time. So, now they have built a wide range of attacking surfaces. These are a few famous zero-click hacks in recent times:
- Pegasus Spyware: Researchers at CitizenLab found a zero-click exploit in Apple’s iPhone in September. This malware enabled hackers to spy on their victims. This spyware was invented by the Israeli company NSO. With the help of this, cyberattackers install the Pegasus malware in the target’s iPhone via a PDF file. They created the file for the execution purpose of malicious code automatically.
- WhatsApp Flaw: In 2019, WhatsApp Messenger served as an entrance for cyber attackers. They try to install spyware into different victim’s devices. The vulnerability was identified as the “buffer flow vulnerability” in VoIP. The standard form of the term is Voice over Internet protocol. When attackers call the target’s smartphone ( iOS or Android) via a WhatsApp call, it becomes activated.
- Apple Mail App Flaws: ZecOps, a cyber security organization, found zero-click attacks within Apple’s Mail App in April. The company later provided a write-up to inform people that cyber attackers send crafted emails to Mail users and make users’ devices vulnerable.
Examples of zero-click malware:
You should know that zero-click vulnerabilities can affect different devices – no matter whether it’s Apple or Android. These are the high-profile instances of zero-click exploits:
- Apple zero-click, forced entry, 2021: A Bahraini human rights activist found their iPhones hacked in 2021 by strong spyware sold to nation-states. Later researchers at Citizen Lab, an internet watchdog based at the University of Toronto, discovered the attack. The smartphone of the activist, the iPhone 12 Pro, was analysed, and the researchers found proof of a zero-click attack. The attack has taken advantage of a previously unknown security vulnerability in Apple’s iMessage.
- WhatsApp breach, 2019: A missed call triggered the infamous breach and exploited a flaw in WhatsApp’s source code framework. The attacker uses a zero-day exploit to load spyware in the data that both devices exchange due to the missed call. After loading, the spyware has enabled itself as a background resource.
- Jeff Bezos, 2018: Mohammed bin Salman, Saudi Arabia’s crown prince, sent a WhatsApp message to Amazon CEO Jeff Bezos in 2018. The message contains a video that promotes Saudi Arabia’s telecom market. According to the reports, the video file included a piece of code. Therefore, the sender could extract information from Bezos’s iPhone for months.
- Project Raven, 2016: It is the UAE’s offensive cyber operations unit. Emirati security officials and former US intelligence operators work there as contractors. According to the reports, a tool named karma was used for taking advantage of a flaw in iMessage. The tool used crafted text messages to attack the iPhones of diplomats, foreign leaders, activists, etc. It is intended to obtain images, emails, text messages, & location information.
Types of Zero Click Exploits:
The smartphone is the main target of harmful attacks. Different communications apps like SMS, phone, messaging, & social media apps are used by these devices. It can offer a broad range of attacking surfaces for hackers who are finding an exploitable vulnerability.
There are a few groups which are popular for identifying zero-click exploits. The NSO Group has detected and produced exploits for many zero-click vulnerabilities in iPhones & Android devices. The vulnerabilities are exploited for delivering the Pegasus spyware that is sold to governments to use in different fields like law enforcement, intelligence collection, and tracking journalists, activists, etc.
Although the NSO Group is a famous purveyor of spyware exploiting vulnerabilities, there are a few other groups that have the same capability. Other cyber threat actors can identify as well as weaponize the vulnerabilities.
How to Protect Yourself from Zero-Click Exploits:
Evading detection by the user is the whole purpose of these exploits. Due to the absence of user interaction, the target does not get a chance to detect the threat. But it never indicates that protecting against such attacks is impossible. Rather than giving a response to an attack in progress, mitigating this can need proactive, preventative actions, such as:
Update Apps & Devices: These exploits take benefits of unpatched vulnerabilities in device apps & OSs. Try to update your apps and devices to decrease vulnerability to these attacks.
Install Anti-Spyware & Anti-Malware Solutions: The exploits can deploy spyware & other malware to devices. With the help of anti-spyware and anti-malware solutions, you are able to identify & remediate these infections. It helps to mitigate the effect of a successful zero-click exploit.
Avoid Unsafe Applications: Exploitable vulnerabilities might be inside the apps that you download from third-party app stores or other sites. Remember that you should install apps only from reliable app stores to reduce the risk level.
Undoubtedly you can say that the zero-click attacks are scary. State actors use zero-click vulnerabilities to go after high-profile targets. However, it is always better to have an eye on the suspicious activity on the devices.
Frequently Asked Questions
- Is zero-day exploit a virus?
Zero-day malware is called a zero-day virus. It is an old unknown PC virus for which particular antivirus software signatures are still unavailable.
- Which zero-day exploit is famous?
Stuxnet was a very popular instance of a zero-day attack.
- Is Pegasus Zero-click?
Zero-click attacks help spyware such as Pegasus to gain control over a device without user interaction.