In a world of instant communication and accelerated by the ever-spreading notion that if you are not connected or available, you might be the odd one out, messaging has, in many ways, become a crucial form of communication and personal connection, especially for the younger generations.
In this context, cybercriminals may find greater ease in succeeding with their schemes, as messaging someone is straightforward, and human error can facilitate the rest. However, sometimes, not even human error is needed. We're delving into the realm of zero-click attacks, which, as the name implies, might signal an end to the era of blatantly obvious phishing messages with their humorous grammar errors. But is this truly the case?
Wait, I didn’t do anything
What are zero-click attacks? Unlike your traditional exploitation opportunities of tricking users into providing access by opening an infected attachment or clicking on a rogue link, this attack does not require that kind of interaction.
Most zero-click attacks rely on vulnerabilities in applications, especially those meant for messaging, SMS, or even email apps. Consequently, if a particular app has an unpatched vulnerability, the attacker can tamper with its data stream. That can be an image or a text you’re about to send. Within this media, they can hide manipulated data that exploits a vulnerability to execute malicious code without your knowledge.
This lack of interaction means that it is harder to track malicious activity, making it easier for threat actors to evade detection; enabling the installation of spyware, stalkerware, or other forms of malware; and allowing criminals to track, monitor, and harvest data off of an infected device.
For example, in 2019, it was discovered that WhatsApp, a popular messaging app, was vulnerable to a particular zero-click attack, wherein a missed call could exploit a vulnerability inside the app’s code. This way, attackers were able to compromise the device the app was on to infect it with spyware. Thankfully, the developers managed to patch this one, but the case shows that even a missed call was able to trigger an infection.
Is there any protection against zero-click attacks?
More and more companies are now focusing on dealing with zero-clicks. For example, Samsung mobile phones now offer a solution that pre-emptively secures users by limiting exposure to invisible threats disguised as image attachments, called Samsung Message Guard, a part of its Knox security platform.
SMG checks files bit by bit and processes them in a controlled environment, a sandbox essentially to quarantine images from the rest of the operating system, akin to a function that many modern antivirus solutions have.
It joins the ranks of security solutions such as Apple’s BlastDoor, which checks data within iMessage similarly, preventing message and OS interaction by sandboxing the iMessage app so that threats have a harder time reaching outside the service. This solution came after experts uncovered a weakness in iMessage that was used to install mercenary spyware against individuals, mostly politicians and activists, to read their texts, listen to calls, collect passwords, track their locations, and access their microphones, cameras, and more – a rather insidious piece of malware, all without any semblance of user interaction.
However, caution is still to be exercised even with anti-zero-click solutions, as there can still be vulnerabilities that threat actors can exploit to gain access to your device. This is especially true for phones with outdated software, as they are less likely to have patched vulnerabilities.
Starting from ground zero
While zero-click attacks require nearly no interaction and tend to target high-profile individuals or anyone with some public visibility, there are still a few basic cybersecurity tips that can be useful to avoid these kind of attacks:
- Keep your devices and apps updated, especially as soon as security updates are available.
- Purchase phones from brands that have a great track record of providing updates (at least include regular security updates and for at least three years).
- Try to stick to official app stores, like Google Play or Apple’s App Store, as these audit any new releases and thus are more likely to be safe.
- If you are not using an app, delete it, and watch out for malicious app copycats.
- Back up your device regularly to recover your data in case you need to reset your device.
- Bump up your security with a mobile antivirus solution.
- In general, practice cybersecurity hygiene.
Further reading:
An insightful interview on vulnerabilities.
More on zero-click exploits.