For years, the statistics have told us that human error is the greatest contributor to cyberattacks. We’ve stressed the importance of training, training and more training to prevent the almost inevitable from happening. We’ve been convinced that the key to defending against cyberthreats is to keep the unsuspecting from clicking on phishing emails and infecting devices and systems with malware.

That’s still important, but with a cyberthreat that’s been in the news recently, all that effort would do no good. Zero-click attacks don’t require human error or even human interaction. These attacks depend on specially formed data — like that used for emails, SMS messages, MMS messages, voice messages and calls — with code that can compromise your system. Vulnerable systems are generally communication platforms for email and messaging that receive data before determining whether the delivery is trustworthy.

Cybercriminals prize these attacks, according to Wired: Requiring the target to click is always uncertain, plus less interaction makes identifying the perpetrators of malicious activity even more daunting.

How Zero-Click Attacks Work

A zero-click attack identified by ZecOps shows how the threat can work in the wild. The vulnerability affects the Mail app in Apple iPhones and iPads. ZecOps observed that cyberattackers could trigger the vulnerability by sending a carefully crafted message to a target’s mailbox. The vulnerability has existed since September 2012, when Apple released the iPhone 5 with iOS 6.

When the target opens the message in the iOS MobileMail application on iOS 12 or maild on iOS 13, the vulnerability lets malicious actors infect the device remotely via emails that consume extensive memory. The email itself doesn’t need to be large, according to ZecOps — just large enough to consume sufficient RAM. Even before the entire email is downloaded, the vulnerability can be triggered.

Starting with iOS 13, the vulnerability enables zero-click attacks when the Mail app is opened in the background. Cyberattackers can then read, edit, leak or delete emails within the Mail app. The attackers won’t gain full control of the targeted device, however. For that, ZecOps agrees with Apple that attackers would require an additional infoleak bug and kernel bug.

Apple patched the vulnerability in iOS 13.4.5 beta on April 16, 2020, although the patch is not yet available in the general availability version. If you can’t use the beta version, ZecOps suggests disabling the Mail application and considering Outlook, Edison Mail or Gmail, which are not vulnerable. But until a patch is available, malicious actors may use the time to attack as many devices as possible.

The Insidious Spread of Zero-Click Attacks

The iPhone and iPad zero-click vulnerability is not the only one recently discovered. In January 2020, Samsung thanked security researcher Mateusz Jurczyk with Google’s Project Zero bug-hunting team for finding a vulnerability that allowed attackers to exploit how the Android graphics library handles images, SC Magazine reported. This enabled zero-click attacks on Samsung mobile phones running Android version 4.4.4 or later. Successful attacks would eventually give the hacker access to the same privileges as the owner, including call logs, contacts and SMS.

In May 2019, a WhatsApp breach used the app’s voice call function to ring a target’s phone, The Defence Works reported. The attack installed malware, even if the target didn’t pick up, and then deleted the call. The internet connection between the caller and receiver’s phones hid infected data packets containing software code. The hacker could then take control of data, including call logs, messages and locations, as well as functions, such as the camera and microphone.

Another attack involved vulnerabilities in a Wi-Fi chipset used in gaming, streaming, laptops and some smart home devices, Help Net Security reported.

These attacks thrive on the proliferation of mobile devices. Statista projects that the number of smartphones alone will reach 3.8 billion by 2021. Cyberthreats take advantage of the devices, network coverage and Wi-Fi vulnerabilities and the trove of valuable data. Many of us carry as much personal and confidential information in our purse or pocket as we store on our desktop at home.

How to Prepare for Zero-Click Cyberthreats

The failure to identify large numbers of zero-click attacks is not due to a lack of vulnerabilities, according to Wired. They’re simply hard to detect. Users of infected Apple devices, for instance, might notice only a temporary slowdown or sudden crash of the mobile mail app. The content — an email, message or call — won’t necessarily remain on the device. For example, ZecOps noted that although data confirms the targeted Apple devices received exploit emails, they weren’t present on the mail server.

The features that make software more secure can make zero-click attacks harder to detect. Due to the end-to-end encryption of iMessages, for example, Apple or security monitoring firms can find it challenging to spot customized zero-click messages. Even the least sophisticated attacks leave few clues. Crash logs can be a good starting point to look for abnormalities that might indicate malicious activity.

To protect against zero-click attacks, basic cyber hygiene is a start. Keep the operating system, firmware and apps on all devices up to date as soon as prompted. Download apps only from official stores and uninstall apps you no longer use. Beware of requests for permission to install new apps, download unknown files or click on suspicious links.

Use your device password protection, but turn off automatic Wi-Fi and Bluetooth connections. Don’t jailbreak your mobile phone to download apps for free, because you’ll also remove the protection provided by Apple and Google.

Zero-click attacks are deceptive, dangerous and growing as the mobile attack surface expands. For now, stay aware of the zero-click threat, take precautions to secure your mobile device and stay up to date on novel attacks. Also realize that as the mobile phone has become more and more indistinguishable from a computer, your enterprise needs to take mobile security just as seriously as desktop and laptop security.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today