Zero-Click Attacks: Minimize Risk

Many cyber attacks are dependent on the actions of their victims – but there are now also methods that reach their target without any action on the part of the attacked. We show strategies that can be used to minimize the risk of becoming a victim of such zero-click attacks.


Lately, more and more cyber attacks have been observed that do not require the attacked to participate (e.g. in the form of link clicks), which makes them particularly threatening. These are so-called “clickless attacks” or zero-click attacks.

Like traditional cyberattacks that require victim interaction, they typically aim to install malware on a system. You need a still unknown vulnerability (so-called zero-day vulnerability), which also has the necessary permissions to run the planned automatisms. Such specific vulnerabilities can cost millions of dollars – which is why zero-click attacks are usually only requested by state actors.


Action of the attackers

Most of the clickless attacks known to date are spyware installed on the smartphones of high-profile victims. Such spy programs are often installed via messengers, which already carry out actions without the user having to do anything. For example, a prepared message can be sent to the victim’s smartphone, which is then opened automatically via the push function, installs malware and then destroys itself with the help of the timer and self-delete function.

Although smartphones seem to be the preferred targets of such attacks, zero-click attacks are not limited to them. The “Follina” vulnerability discovered in Microsoft Office products last year was used, for example, to install malware without the user having to do anything and without starting macros. HTML code could be run through the Microsoft Support Diagnostic Tool (MSDT). As a result, the vulnerability, for which there are now patches, was used, among other things, to spread the Quakbot malware. In turn, further malware could have been reloaded, including ransomware.


Recommendations for action

Although zero-click attacks are designed to be successful without the attacker doing anything, the risk of becoming a victim of such an attack can be significantly reduced with the following strategies:

  • Keep all apps installed on the smartphone up to date with the latest updates and delete apps that are no longer used.
  • Download apps only from the official app stores and do not jailbreak or root.
  • Disable pop-ups of all kinds, both in the browser and the notification function of apps.

Source: com! professionals