The rise of zero-click attacks


Mobile security

A security compromise so stealthy it doesn’t even require your interaction? Yes, zero-click attacks require no action on your part, but that doesn’t mean you’re vulnerable.

Silent but Deadly: The Rise of Clickless Attacks

In a world of instant communication and accelerated by the increasingly prevalent idea that if you’re not connected or available, you might be the odd one out, messaging has, in many ways, become a crucial form of communication and personal connection, especially for the younger generations.

In this context, cybercriminals may find it easier to succeed in their schemes because sending messages to someone is simple and human error can make the rest easier. However, sometimes even human error is not necessary. We’re entering the realm of zero-click attacks, which, as the name suggests, could mark the end of the era of blatantly obvious phishing messages with their humorous grammatical errors. But is this really the case?

Wait, I didn’t do anything

What are zero-click attacks? Unlike your traditional exploitation opportunities Whether tricking users into providing access by opening an infected attachment or clicking on a malicious link, this attack does not require this type of interaction.

Most zero-click attacks rely on vulnerabilities in applications, especially those intended for messaging, SMS or even messaging applications. Therefore, if a particular application has an unpatched vulnerability, the attacker can tamper with its data flow. This could be an image or text that you are about to send. In this media, they can hide manipulated data that exploits a vulnerability to execute malicious code without your knowledge.

This lack of interaction means that it is harder to track malicious activity, making it easier for bad actors to evade detection; allowing the installation of Spyware, tracking software, or other forms of malware; and allow criminals to track, monitor and harvest data from an infected device.

For example, in 2019 it was discovered that WhatsApp, a popular messaging app, was vulnerable to a particular zero-click attack, in which a missed call could exploit a vulnerability in the app’s code. This way, the attackers were able to compromise the device the application was on to infect it with spyware. Fortunately, the developers managed to fix this one, but the case shows that even a missed call could trigger an infection.

Is there protection against zero-click attacks?

More and more companies are now focusing on zero-click management. For example, Samsung mobile phones now offer a solution that preemptively secures users by limiting exposure to invisible threats disguised as image attachments, called Keep Samsung messagespart of his Knox security platform.

SMG checks the files bit by bit and processes them in a controlled environment, essentially a sandbox to quarantine images from the rest of the operating system, similar to a feature that many modern antivirus solutions have.

It joins the ranks of security solutions such as Apple BlastDoor, which checks data in iMessage in the same way, preventing interaction between messages and the operating system by sandboxing the iMessage application so that threats have a harder time reaching outside the service. This solution came after experts discovered a weakness in iMessage used to install mercenary spyware against individuals, mainly politicians and activists, to read their texts, listen to calls, collect passwords, track their location and access their microphones, cameras, etc. – rather insidious malware, all without any semblance of user interaction.

However, caution is still required, even with anti-zero-click solutions, as there may still be vulnerabilities that malicious actors can exploit. exploit to access your device. This is especially true for phones with outdated software, as they are less likely to have vulnerabilities patched.

Start from nothing

Even though zero-click attacks require virtually no interaction and tend to target high-profile individuals or anyone with some public visibility, there are still some basic cybersecurity tips that can be helpful in avoiding this type of attack. attacks:

  • Keep your devices and apps up to date, especially as soon as security updates become available.
  • Buy phones from brands that have an excellent track record of providing updates (include at least regular security updates and for at least three years).
  • Try to stick to official app stores, like Google Play or the Apple App Store, as these check for all new versions and are therefore more likely to be safe.
  • If you don’t use an app, delete it and pay attention to the malicious app copiers.
  • Back up your device regularly to recover your data in case you need to reset your device.
  • Strengthen your security with mobile antivirus solution.
  • In general, the practice cybersecurity hygiene.

Further reading:

An insightful interview on vulnerabilities.

Safer zero-click exploits.

Leave a comment