In 2025, most people are inseparable from their laptops and smartphones. With that familiarity has come a wariness of the dangers of clicking on unsolicited emails, SMS, or WhatsApp messages.
But there is a growing menace called zero-click attacks, which have previously targeted only VIPs or the very wealthy because of their cost and sophistication.
A zero-click attack is a cyberattack that hacks a device without the user clicking anything. It can happen just by receiving a message, call, or file. The attacker uses hidden flaws in apps or systems to take control of the device, with no action needed from the user and the user remains unaware of the attack.
“Although public awareness has increased recently, these attacks have steadily evolved over many years, becoming more frequent as smartphones and connected devices proliferated,” Nathan House, CEO of StationX, a UK-based cybersecurity training platform, told The Epoch Times.
“The key vulnerability is in the software, rather than the type of device, meaning any connected device with exploitable weaknesses could potentially be targeted,” he said.
Aras Nazarovas, an information security researcher at Cybernews, told The Epoch Times why zero-click attacks usually target VIPs, rather than ordinary individuals.
“Since finding such zero-click exploits is difficult and expensive, most of the time such exploits are used to gain access to information from key figures, such as politicians or journalists in authoritarian regimes,” he said.
“They are often used in targeted campaigns. Using such exploits to steal money is rare.”
“The part that requires high levels of sophistication is finding bugs that allow such attacks and writing exploits for these bugs,” Nazarovas said.
“It has been a billion-dollar market for years, selling zero-click exploits and exploit chains. Some gray/dark market exploit brokers often offer $500,000 to $1 million for such exploit chains for popular devices and apps.”
Expanded Spyware Markets
Although there have been recent innovations in AI that have made certain cyber crimes, such as voice-cloning or vishing, more prevalent, Nazarovas says there is no evidence yet that it has increased the risk from zero-click attacks.House said people could use AI to “write zero-click exploit chains for people who would have otherwise lacked the time, experience, or knowledge to be able to discover and write such exploits.”
But, he said, the increase in zero-click attacks in recent years, “stems mainly from expanded spyware markets and greater availability of sophisticated exploits, rather than directly from AI-driven techniques.”
In July 2021, The Guardian and 16 other media outlets published a series of articles, alleging that foreign governments used the Israeli-based NSO Group’s Pegasus software to surveil at least 180 journalists and numerous other targets around the world.
Alleged targets of Pegasus surveillance included French President Emmanuel Macron, Indian opposition leader Rahul Gandhi, and Washington Post writer Jamal Khashoggi, who was slain in Istanbul on Oct. 2, 2018.
‘Collateral Targets’
“While ordinary users can occasionally become collateral targets, attackers generally reserve these costly exploits for individuals whose information is especially valuable or sensitive,” Nazarovas said.
According to Nazarovas, corporations offer hackers ‘bug bounties’ to incentivize them to find these exploits and report them to the company, rather than selling them to a broker who then sells them on to parties who use them illegally.
House said defending against zero-click attacks is “challenging,” but some simple cybersecurity steps can reduce the risk.
“Users should always keep software and operating systems updated, regularly reboot their devices, and use hardened security modes such as Apple’s lockdown mode, especially if they believe they’re high-risk targets,” he said.
House said that whatever precautions are taken, it is crucial to recognize “exceptionally sophisticated attacks—like those from advanced nation-state adversaries—can bypass even the most robust defenses.”
Nazarovas said many big tech players, such as Apple, Google, and Microsoft, collect extensive telemetry data from billions of devices and use the data to detect zero-click exploits and other sophisticated attacks. Telemetry data is information collected remotely from devices such as phones and computers. This data, especially on app usage and behavior, is sent back to a central system to help improve performance, fix problems, or track activity.
“When vulnerabilities that allow such attacks are detected, they can be quickly fixed and rolled out almost immediately to billions of people thanks to automatic updates,” Nazarovas said.
