Table of Contents
Highlights
- Zero-click exploits compromise devices without user interaction by exploiting flaws in messaging, calling, or media-processing features.
- Real-world cases like Pegasus, FORCEDENTRY, and WhatsApp vulnerabilities show how these stealthy attacks target journalists, activists, and officials.
- Mitigation strategies include keeping devices updated, limiting automatic media features, using strong security settings, and adopting stricter safeguards for high-risk users.
Imagine never clicking a suspicious link, never answering a call, never installing a malicious app, and still waking up to a phone that is secretly leaking your messages, photos, and microphone recordings to someone else. That’s the unnerving reality of zero-click exploits: attacks that require no interaction from the victim and that can turn a smartphone into a covert spy device in seconds. Over the last half-decade, these techniques have emerged from highly targeted nation-grade surveillance tools to an increasing worry for activists, journalists, and even ordinary users. This article explains how zero-click attacks work, why they are so dangerous, and, most importantly, what you can do to reduce the risk.
What is a zero-click exploit?
A zero-click exploit is a vulnerability chain that allows an attacker to compromise a device remotely without any user action. Unlike phishing or malicious apps that rely on social engineering or consent, zero-click attacks exploit flaws in software that automatically processes incoming data, for example, the way your messaging app processes images, audio, PDFs, or even missed calls. The attacker sends a specially crafted message (or call, or file) that triggers the vulnerability. The device’s automatic processing routines, which are meant to make messaging seamless, end up executing attacker code instead. That code then pulls in a payload (malware), opens a remote connection, and grants the attacker control, or at least access to sensitive data.
Real-world examples
The headlines that put zero-click exploits on the global map involved Pegasus, the commercial spyware sold by NSO Group. Investigations by research groups including Citizen Lab and Amnesty International documented how Pegasus used zero-click vulnerabilities in popular messaging stacks to infect iPhones and Android devices belonging to journalists, human-rights defenders, and politicians.
One notorious example is the FORCEDENTRY exploit- a zero-click vulnerability in Apple’s iMessage ecosystem that researchers captured in the wild and analysed in detail. That exploit demonstrated how an attacker can weaponize image/PDF handling and bypass protections meant to isolate untrusted message content. Google Project Zero and Citizen Lab provided deep technical breakdowns of how FORCEDENTRY worked.
Earlier, WhatsApp was found in 2019 to have a zero-click vulnerability that let attackers deliver spyware through crafted VoIP calls even when the calls were missed or went unanswered, a reminder that voice and video calling protocols are another attack surface. Anmesty and other partners documented how that vulnerability was abused against civil society figures, prompting patches and litigation.
Why Zero-Click Attacks are especially scary
Zero-click attacks are especially alarming because they bypass the traditional security advice that most users rely on. Unlike phishing or malicious downloads, they require no action from the victim, meaning that warnings like “don’t click suspicious links” simply will not apply, since the attack vendor circumvents the conscious human choices altogether. What makes them scarier is their silent and stealthy nature.
Well-crafted zero-click implants can leave little to no forensic trace, making them difficult to detect or analyze, and they can also persist undetected for long periods. Spyware like Pegasus, for example, was marketed as a “leave-no-trace” surveillance product, highlighting how effectively these tools can bypass discovery, as it was documented by Amnesty International.
These attacks also tend to take advantage of trusted infrastructure, exploiting the very convenience features users expect from modern devices. Message previews, automatic media rendering, and in-call codecs, all designed to improve user experience, can be weaponised, which means that hardening user behaviour alone offers little protection.
The Cyber Security Agency of Singapore has emphasised how these everyday conveniences double as attack surfaces. Finally, the technical sophistication involved raises the stakes. Zero-click exploits once required the resources and expertise of nation-state teams, restricting their use to high-value targets. However, the commercialisation and commoditization of these tools are lowering the barrier, making them more accessible to a broader set of actors. This combination of stealth, inevitability, and growing accessibility makes zero-click exploits one of the most daunting threats in mobile cybersecurity today.
Practical Protections for Users
While zero-click attacks are difficult to eliminate entirely, individuals and organisations can significantly reduce their exposure by combining good software hygiene, smart device settings, and threat-model-based strategies. The most important step is to keep operating systems and apps updated, ideally through automatic updates, since vendors regularly release patches that close the very vulnerabilities exploited in zero-click chains, as seen in how Apple mitigated the FORCEDENTRY exploit through timely iOS updates, a point emphasized by The Citizen Lab and Security.com.
It is equally important to limit the attack surface in messaging apps by disabling automatic media downloads or previews, restricting who can message you, and turning off lock-screen previews, recommendations echoed by both the UK’s National Cyber Security Centre (NCSC) and the Cyber Security of Singapore.
Strengthening device security features also plays a vital role: enabling full-disk encryption, using strong passcodes or biometrics, and adopting FIDO-based hardware keys for multi-factor authentication instead of SMS codes, in line with guidance from CISA. At the same time, users should avoid jailbreaking of rooting their devices, as this strips away core protections and makes exploitation far easier, while refraining from installing untrusted apps.
For those at heightened risk, such as journalists, activists, or lawyers, Amnesty International suggests adopting a clear threat-model approach: assume targeted attempts are possible and use ‘clean’ secondary devices for sensitive communications, minimize the number of apps installed, and consider mobile device management (MDM) solutions with strict security policies. On an organizational level, security should include MDM deployment, restrictions on risky features like unsecured cloud backups, the use of endpoint detection tools, and an incident response plan that incorporates mobile device forensics.
Conclusion
Zero-click exploits represent one of the most insidious evolutions in digital threats, erasing the line between risky user behaviour and unavoidable software exposure. They highlight a sobering reality: even the most cautious individual can become a target simply by owning a smartphone. Yet, while the technical sophistication and stealth of these attacks make them difficult to counter fully, awareness and layered defences can meaningfully reduce risk.
Keeping devices patched, limiting automatic features, and adopting stronger security practices place valuable hurdles in the attacker’s path. For those at greater risk, such as journalists, human-rights defenders, and political figures, a clear threat model and stricter safeguards are essential. Ultimately, tackling zero-click attacks requires shared responsibility: users must stay vigilant, organisations must enforce robust protections, and vendors must continue to harden the very platforms we rely on daily. The fight against these invisible intrusions is ongoing, but informed and proactive defences are our best means of tilting the balance back toward security.
