Zero-click scam: something like a cop scam, but without the cop

We regularly warn against fraud attempts that are based on the victim’s error: clicking on an infected link, downloading an application that captures account data, trusting a person pretending to be a policeman / bank employee / courier company and transferring or physically handing over money. However, no action on the part of the victim is necessary for the theft of money or data.

– Sometimes user error is not necessary. This is why zero-click attacks have become an effective modus operandi for cybercriminals. They make it possible to distribute malware even without any error on the part of the user. This is one of the most advanced forms of cybercrime, unlike, for example, the well-known phishing messages, full of obvious, sometimes even funny grammatical errors. In the case of zero-click attacks, it is difficult to realize that we are under attack, says Kamil Sadkowski, an analyst at the ESET anti-virus laboratory.

Zero-click: I didn’t do anything

What are zero-click attacks? Unlike traditional methods that trick users into opening an infected attachment or clicking a suspicious link, these attacks do not require interaction with the victim.

In most cases, these types of attacks are based on security vulnerabilities in applications, such as those used for messaging, SMS and even e-mail. If a given application has an unpatched vulnerability, the attacker can manipulate its data. Cybercriminals can place malicious code in images or text messages that they then send to the user.

Not having to interact with the victim makes it more difficult to detect malicious activity. This, in turn, opens the door to installation of spyware, stalkerware and other forms of malware. Additionally, criminals can track and collect data from an infected device.

For example, in 2019, WhatsApp was discovered to be vulnerable to a specific zero-click attack in which a missed call could exploit a vulnerability in the app’s code. In this way, attackers could infect the device on which the application was located with spyware. Fortunately, developers were able to quickly patch this vulnerability.

Is it possible to protect yourself from an invisible enemy?

Nowadays, more and more companies are focusing on protection against zero-click attacks. For example, Samsung phones offer Samsung Message Guard, which protects users by reducing the risk of exposure to invisible threats hidden in, for example, graphic attachments. Samsung Message Guard analyzes files bit by bit and processes them in a controlled environment, isolated from the rest of the operating system, like many modern antivirus solutions.

Apple has also introduced a solution to protect users from zero-click attacks. BlastDoor similarly analyzes data in iMessage, preventing interaction between messages and the operating system through the use of sandboxing technology. This makes it difficult for potential threats to get beyond this service. This solution was introduced after the discovery of a security vulnerability in iMessage, which was used to install spyware on the devices of public figures, mainly politicians and activists. Criminals were able to read their messages, listen in on calls, collect passwords, track device locations, and gain access to microphones and cameras.

So what should you do to avoid falling victim to a zero-click attack? Here are the most important recommendations:

• Keep your devices and apps up to date.

• Buy phones from brands that have a good reputation for regular security updates.

• Download applications from official stores such as Google Play or Apple App Store, which verify all posted applications for possible harmful functionality.

• If you don’t use an app, delete it.

• Back up your device’s data regularly so that you can recover it if you need to factory reset it.

• Strengthen your security by installing a mobile antivirus solution.