Haven’t clicked on a suspicious link? You could still get hacked with ‘zero-click’ attacks
UAE cybersecurity expert shares top tips to stay safe from new online threat
Dubai: You have been told to never click on links sent by unknown sources, but what happens if you don’t even have to click on a link to become the victim of a cyber-crime? ‘Zero-click’ attacks are now a possibility, with malicious actors gaining the ability to infect and hack a device, without even requiring the user to engage.
Gulf News sat down with Fadia Almaeeni, Senior Cyber Security Engineer at the Sharjah Digital Department, to find out exactly what a zero-click attack is, and how you can stay safe as an online user.
What is a zero-click attack?
“Zero-click attacks represent an advanced class of exploits wherein threat actors require no target interaction. Unlike traditional attacks that rely on user actions, such as clicking on malicious links or opening infected files, zero-click attacks can be executed remotely and silently. They can evade traditional security measures like anti-virus software and email filters designed to detect and prevent malicious links or attachments, and that makes them particularly dangerous as victims may remain unaware of the attack until too late,” she said.
According to Fadia, while most software updates fix any bugs in the software that can be exploited by cybercriminals, it is also possible for them to exploit what is called ‘zero-day vulnerability’, which is a vulnerability in the system, which has not yet been discovered by the vendor. These vulnerabilities could be within your device’s operating software, or in popular everyday apps, such as direct messaging, SMS, and email, by sending their zero-click malicious code within messages or files that appear harmless at first glance.
“With their increasing complexity and integration into our daily lives, mobile devices present a wide range of vulnerabilities that threat actors can exploit, often without requiring user interaction,’ she added.
Zero-click attacks represent an advanced class of exploits wherein threat actors require no target interaction. Unlike traditional attacks that rely on user actions, such as clicking on malicious links or opening infected files, zero-click attacks can be executed remotely and silently.
• Attack vector: Zero-click attacks exploit software or operating system vulnerabilities, whereas traditional scams often target user behaviour and lack of awareness.
• Detection: Zero-click attacks are often more difficult to detect and prevent, as they operate silently in the background.
Some vulnerabilities on your device that can be exploited for a zero-click attack
Operating System (iOS or Android) vulnerabilities:
• Zero-day exploits: These vulnerabilities are undiscovered by the software vendor, meaning no patches are currently available. Threat actors can exploit them to gain unauthorised access to the device.
• Outdated software: Not updating to the latest operating software (OS) version can leave devices vulnerable to known attacks.
Application vulnerabilities:
• Messaging apps: Apps like WhatsApp and iMessage can have vulnerabilities that allow threat actors to send malicious messages.
• Malicious apps: Apps from unofficial sources or compromised app stores can contain malware that can steal data or take control of the device.
Four ways in which ‘zero-click’ attacks may happen
According to Fadia, a zero-click attack may happen in different ways:
1. Malicious messages or payloads: “Threat actors can send specially crafted malicious messages, such as SMS, MMS, or push notifications. These messages take advantage of flaws in the processes used to interpret or display them, causing harmful code to execute automatically when the message is received—without requiring the user to open it,” she said.
2. Exploiting software bugs: “By identifying bugs in the operating system, apps, or firmware, cybercriminals can bypass security mechanisms. This might include exploiting memory management flaws, input validation errors, or permission escalation bugs to gain unauthorised access to the system,” she said.
3. Remote Code Execution (RCE): This refers to vulnerabilities, which allow cybercriminlas to execute arbitrary commands on a remote device.
“For instance, they can exploit insecure network protocols or services exposed to the internet to inject and run their code, potentially gaining full control over the target device,” she said.
4. Man-in-the-middle attacks: In some cases, threat actors intercept communications between the device and a trusted server, exploiting vulnerabilities to inject malicious payloads or manipulate data without user involvement.
“By combining these techniques, cybercriminals can silently gain access, steal data, or disrupt services without alerting the user or requiring any interaction, making these vulnerabilities particularly dangerous,” Fadia added.
What kind of data can get compromised in such attacks?
A successful zero-click attack can compromise a wide range of sensitive information, including:
• Personal data: Names, addresses, phone numbers, and email addresses.
• Financial information: Credit card numbers, bank account details, and passwords.
• Private messages: Text messages, emails, and social media messages.
• Photos and videos: Sensitive photos and videos stored on your device.
“Users should be aware that a successful zero-click attack can grant threat actors persistent access to their devices. This means the threat actor can maintain ongoing, unauthorised control over the compromised device or system. With this access, they can repeatedly retrieve sensitive data, alter device settings, install additional malware, or monitor the victim's activities over time, even if the initial vulnerabilities are later patched,” Fadia warned.
How do I protect myself?
Unfortunately, no single tool can completely protect against zero-click attacks, acccoring to Fadia, and users should go for a multi-layered approach, based on a good understanding of how such attacks can affect your devices.
“Addressing these threats relies on user awareness, staying informed about emerging risks, and practising robust cybersecurity habits. We can summarise three key recommendations. First, for any account that you have your phone registered with, such as an iCloud account in the case of iPhone devices or other accounts for Android users, make sure that you enabled multi-factor authentication (MFA) and always keep your devices up to date to the latest versions. This is considered the second layer of protection for the account and the device. Secondly, make sure that you install only reputable and secure apps while avoiding questionable ones you are unsure about. For example, there are many discussions about TikTok’s security concerns in the US, UK, and Singapore, which you should consider, if you use such an app. Finally, the last secret point is about a feature that was released by Apple a few years ago but people are not aware of: Lockdown Mode. When activated on the device, it limits exposure to zero-day vulnerabilities by restricting some functionalities. Following these tips can significantly reduce the risk of falling victim to zero-click attacks,” she said.
Top tips to protect yourself from zero-click attacks
- Regularly update your devices with the latest security patches from manufacturers.
- Incorporate daily reboots to disrupt persistent attacks, hindering attackers' ability to maintain control.
- Disable non-essential features prone to exploitation, such as iMessage and FaceTime.
- Stay alert to signs of infection, like rapid battery depletion, sudden shutdowns, and increased data consumption.
- Leverage advanced security features, such as Apple's Lockdown Mode, which reduces vulnerabilities.
- Be cautious when granting permissions to apps; only allow access to essential functionalities and avoid giving unnecessary permissions.
- Avoid using public Wi-Fi for sensitive activities.
“By understanding these guidelines and taking proactive measures, you can significantly reduce the risk of falling victim to zero-click attacks and other cyber threats,” she added.