top of page

Zero Click Attack : An Overview

With the NSO group’s Pegasus in the global news, there is a buzz around people wanting to know what it exactly is and how it functions so that necessary preventive measures can be taken. From what can be gathered, Pegasus has been identified as a zero click attack, to understand this form of attack some fundamental questions have to be raised. One must as themselves if you can be under threat even when you are just surfing the internet and being careful about not clicking on suspicious links? Is the big brother watching you and who is this big brother? Should one be bothered by hacks being reported or is it just the high-profiled people being targeted? We will try to find the answers to some of these questions in this piece. By the end, it will mainly enable a reader to know what a zero-click attack is and how it functions, along with important methods to save oneself from these sneak attacks being perpetrated in today’s world.

What is a Zero-Click-Attack?

As one might guess from the name, a zero-click-attack requires zero clicks, which means that this type of cyber threat does not require any voluntary action from the targeted user. This implies that even a very careful and conscious internet user can fall prey to such spyware. When compared to other cyber-attacks and breaches, a phishing network is generally used which means that at some point while using the device, the targeted user must have performed some action (as little as a click on a malicious link) to trigger the spyware in question. But, a zero-click attack, on the other hand, exploits the flaws of the targeted device which means any and all types of devices including macOS, Windows, iOS, and even Android. These attacks use data verification loopholes to work their way up in one’s device. Even though the softwares are continually upgraded and patches are covered by minor updates some loopholes remain and lead to theft of data and privacy.

Why should you be worried about a Zero-Click-Attack?

Common people like you and me should be careful. These zero-click attacks can be a cause of worry because they are now happening in real life, they are not just a part of sci-fi movies which have unrealistic plots. Science is moving forward and so are the ways hackers trying to steal data. And data as we all know is very important in today’s world, it will be tomorrow’s hottest currency. Mass cyber-attacks are common but zero-click attacks are highly targeted and use sophisticated technology. These attacks can have egregious consequences, which could result in one risking and ultimately losing one’s entire life without even one’s knowledge since they work in the background. Another reason one should be worried is that these malicious softwares install themselves in the background and steal the already existing data on the device along with using the camera, microphone, and location coordinates, so basically real-time data theft also.

How does a Zero-Click-Attack work?

A zero-click attack primarily looks for loopholes in data verification. So something like an Application Push Notification (APNs) feature could aid a spyware like Pegasus to enter and treat data like its own. Un-updated or not up-to-date softwares are the breeding ground for such attacks since they have not been upgraded with the latest security features to protect themselves from such breaches.

A step-by-step guide on how zero-click attacks work:

  1. The spyware handler or the threat actor will study and look for any loopholes or vulnerabilities that can be taken advantage of. In other words, it looks for areas that can be exploited in applications that are already on the phone (WhatsApp video-missed call feature, 2019)

  2. The second step involves planning on how to inject the spyware into the targeted user’s device. Generally, special data is crafted which might include hidden text messages or images which trigger the spyware and it starts functioning on the victim’s device.

  3. The final step involves exploiting the data and privacy of the targeted user. The spyware is made in a way that it does not let the victim know that it is running in the background and keeps sending sensitive data to the person exploiting it. In addition to this, it does not leave any traces behind. Usually, it has a self-destruct mechanism and just vanishes from the targeted user’s device.

Are there any other Zero-Click-Attacks apart from Pegasus?

As of now not a lot of zero-click attack Spy wares are known to the common people. Pegasus has become widely known because of the allegations that the Indian Government had been spying on several people. And even Pegasus has not always been a zero-click attack spyware. The earliest attack that can be identified which was perpetrated by Pegasus dates back to 2016 which used a spear-phishing technique. It was only in 2019 that the NSO developed Pegasus was identified as a zero-click attack spyware. However, there are other communities where these softwares can be easily found and deployed or even customized, like GitHub, which serves as an open online community of coders.

Can you prevent yourself from a Zero-Click-Attack?

As we already learned that any patch left untreated can become a data hazard, it seems practically impossible to prevent oneself from such an attack. If we look at how the infamous data breach happened in 2019 via WhatsApp, it was triggered by missed calls and how can one protect themselves from not getting missed calls. The most difficult solution would be to use an archaic handset and discard all smartphones but does not seem feasible in today’s fast pacing world. The only preventive measure that can be taken at large is keeping our devices updated and install all and any minor patches that are fixed by the software providers. Upgrading your phone periodically is also a good idea but it might come off as an expensive one and not as eco-friendly considering how less than 20% of the e-waste is recycled sustainably (according to a report by the United Nations, 2019).



Get Started with Listing of your Bug Bounty Program

  • Black LinkedIn Icon
  • Black Twitter Icon
bottom of page