Using a “zero-click” attack, a hacker can gain access to a phone or computer even if the user does not open a malicious link or attachment. Instead, hackers use a succession of security holes in operating systems like Apple Inc.’s iOS or Google’s Android to break into a smartphone without having to trick their victim into doing anything. They can install malware capable of stealing data, listening in on calls, and tracking the user’s whereabouts once they’ve gained access.
According to more than a dozen Surveillance Company employees, security researchers, and hackers interviewed, zero-click hacks are being used more frequently by government agencies to spy on activists, journalists, and others, as people are more wary than ever about clicking on suspicious links in emails and text messages.
The technology required for zero-click hacking was once the exclusive domain of a few intelligence organisations, but it is now being offered to governments by a small number of corporations, the most renowned of which is Israel’s NSO Group. According to former employees and partners of those companies, at least three other Israeli companies — Paragon, Candiru, and Cognyte Software Ltd. have developed zero-click hacking tools or offered them to clients, demonstrating that the technology is becoming more widespread in the surveillance industry.
A potential victim can take actions to limit the likelihood of a successful zero-click attack, such as keeping their equipment up to date. However, because people rely on messaging apps for communication, some of the more effective methods, such as uninstalling certain messaging apps that hackers can use as gateways to breach a device, aren’t practical.
Attackers obtain access to a device via zero-click attacks, and then install malware, such as NSO Group’s Pegasus, to discreetly watch the user. Using the phone’s inbuilt camera and microphone, Pegasus can secretly capture emails, phone calls, and text messages, monitor location, and record video and audio.
NSO Group, which was placed on the US blacklist in November for supplying spyware to governments that used it to maliciously target government officials, journalists, businesspeople, activists, and others in order to silence dissent, has stated that it only sells its technology to governments and law enforcement agencies as a tool to track down terrorists and criminals.
In December, Google security experts looked into a zero-click exploit developed by NSO Group that could be used to get into an iPhone by sending a false GIF image via iMessage. “One of the most technically sophisticated exploits they’ve ever seen.
While NSO Group has received the greatest attention in the media, numerous Israeli companies are offering similar capabilities to assist governments in spying on mobile phones. At least four other Israeli companies have gained or created zero-click hacking technologies.
Based in Tel Aviv, Candiru, a surveillance firm with over 120 employees, teamed with another Israeli firm, Cognyte, to provide government’s zero-click spyware that can be deployed on Android and iOS mobile devices.
Paragon, a company founded by former members of Israel’s Unit 8200 spy agency, has developed its own zero-click hacking technology, which it has marketed to governments in Europe and North America as a way to gain access to encrypted messaging apps like WhatsApp and Signal.
Here are some reasons why zero-click attacks are much more lethal than mainstream cyber-attacks:
• A victim of a zero-click attack does not have to click a link, download an attachment, or visit a malware-infected website. The users are absolutely oblivious of what is going on because everything takes place behind the scenes.
• The attackers don’t have to waste time setting up a complicated trap or bait to entice victims into completing a task. This speeds up the spread of a zero-click strike.
• By delivering a message to a user’s phone with no notification, zero-click assaults install particularly targeted tracking tools or spyware on the victim’s devices. Infections can start without the user ever touching their phones.
• Zero-click attacks do not leave behind any traces or indicators of compromise.
• Zero-click attacks employ the most advanced hacking techniques which can bypass any endpoint security, antivirus, or firewall system.