Zero-Click Exploits

Introduction

In 2019, the world’s richest man, Jeff Bezos, received a text on WhatsApp, completely harmless, an ordinary-looking message, with no suspicious link, no shady attachments. It was just a video file from a verified source. But this simple video file resulted in a major breach. Hours later, forensic investigators would discover that his iPhone, one of the most secure devices, had been compromised, and gigabytes of private data had been leaked, and all this took place without ever clicking a single thing¹.

Zero-click attacks are the perfect crime: no clicks, no warnings, no chance to fight back. Whenever we think about cyberattacks, the things that come to our mind are shady links, suspicious emails, or downloads from untrusted sources. But what if the shady emails or links never reach your eyes and can still compromise your device? They exploit hidden flaws in software or applications to gain silent access to a device and then extract data from it.

Why Zero-Click Exploits Are Critical Today

Here’s the scary part: our lives are now run by smartphones. From online banking to health apps, from private conversations to work emails to smart home controls, we carry our entire digital identity in our pockets. Our smartphones contain a dozen apps that are connected to the internet all day, like Telegram, WhatsApp, Signal, etc. These apps are the main target for hackers as they handle your digital profile, your posts, and your confidential information.

The people have changed; they are more aware now, they don’t click suspicious links or download files from untrusted sources, and so now the attackers have evolved too; they don’t rely on tricking the users by sending phishing emails, but they try to enter a device stealthily and conduct an attack. The main benefit of a zero-click attack over other malware for the hackers is the stealth. At times like this, it is clear that security is no longer in the hands of users; it is in the hands of the developers of apps, the operating systems of your devices, and the network stacks.

Hidden vulnerabilities, like in WhatsApp or iMessage or in any device components such as baseband processors, can be exploited at a large scale by both cybercriminals and state-backed actors. The threat is real, the threat of being hacked without even doing anything. The true danger of zero-click exploits isn’t just the damage they cause; it’s the fact that you can’t stop them by being careful.

Understanding Zero-Click Exploits

Zero-click exploits are no longer only sci-fi fantasies; they are real threats that are reshaping the way your devices can be compromised. Let’s get down in deep to know what the zero-click exploits are, how they differ from traditional attacks, and how they easily evade detection.

Definition and key Characteristics

Zero-click exploits are cyberattacks that compromise a device without even requiring an interaction from the victim, like no taps, no downloads, and no clicks. These exploits abuse the flaws and bugs in apps or operating systems, and how they process background data, such as pushing notifications, message previews, or even call requests.

This means that even receiving a malicious packet file or message can be enough to compromise your device. The attacker creates inputs like messages, media files, or call handshakes that are automatically processed by the trusted component of the app or device’s OS. Security analysts describe these attacks as “interactionless exploitation,” a category widely different from the traditional methods to gain access to a device.

Stagefright (2015) was discovered by Zimperium ZLabs and exploited by Joshua J. Drake. It is a well-documented example of a zero-click exploit. It was a vulnerability in Android’s media playback engine that allowed the attackers to compromise devices via a single MMS message, and all this was processed silently in the background. The attack was that dangerous as victims didn’t even need to open or view the message; the exploit just triggered as soon as the OS parsed the file, and then deleted the message before even the user knew about it. Stagefright showed that large attack surfaces like media libraries are the ideal candidates for zero-click exploitation².

Traditional Malware vs Zero-Click

Conventional attacks typically required some form of “social engineering” which helped attackers in convincing the users to click on links, enable macros, or even install trojanized apps. Traditional malware almost always depends on user-driven actions. They rely on the application layer and user behavior to initiate the execution flow. For example, traditional method attackers deliver a file such as a Word document or PDF that is booby trapped and only activates once the victim opens it, because a file artifact exists here, defenses like antivirus signatures, sandbox detention, and user awareness training can reduce the rise, but zero-click exploits eliminate or sidestep the social engineering step entirely.

Instead, zero-click exploits target protocol-level flaws and automatic parsing functions. The background processing of these attacks provides a benefit to the attackers. They target parsing engines, protocol handlers, and data verification logic; these are the components that process the content automatically in the background.

Another distinction, which is a major one, is awareness. Against the traditional phishing attacks, people are made aware of phishing attacks and email filtering to mitigate the traditional attacks, but for zero-click attacks, even if a user is well aware, there is no way to save from a new zero-click attack.

As a Google Zero researcher put it:

There is no way to prevent exploitation by a zero-click exploit; it’s a weapon against which there is no defense ³.

Comparison: Traditional vs Zero-Click Exploits

Why Zero-Click Are Harder to Detect And Prevent

Zero-click attacks excel mainly in stealth because they not only enter with discretion but also don’t leave any traces behind, minimal to be most. The zero-click attacks exploit always on parsers and protocol handlers which are renderers, media decoders, VoIP stacks, etc, the code path of these accepts and interpret everything automatically even if its a virus, so the first mistake is not by the users, but it is the flaw in the design which makes the virus to be reachable into a user device. They not only enter a device with stealth, but they also vanish without a trace. Most of the zero-clicks run entirely in the volatile memory, thus they don’t leave any persistent artifacts.
End-to-end encryption and platform sandboxing are two of the main causes that the typical inspection points are removed, encrypted payloads travel from send to client, unreadable by network defenses, and sandboxes execute them.

The combination of zero-day economics and slow patch distribution turns every single flaw like this into a long-running threat.

Common Targets For Zero-Click Attacks

Zero-click attackers pick targets that give the biggest payoff for the least risk. These attackers are mainly used to turn a device into a hub of information, as the attacks are delivered silently and have long-lived access. Attackers prioritize people or systems that have a great amount of information, people like journalists, diplomats, executives, and critical infrastructure operators, and the devices that connect them⁴.

These are the one of most common targets for zero-click attackers:

1. High Value individuals whose devices are intelligence brokers - imagine you are a politician, or a journalist, or a company executive who has a great amount of information on your device, and a single breach can reveal contact lists, private conversations, location history, and even cloud tokens.

2. Corporate and IP targets - zero-click attacks are popular for corporate espionage because they can quietly leak product roadmaps, M&A plans, or even source code without any risk of detection.

3. Political and state surveillance - it’s not necessary that zero-click attacks are quick and only for data leaking; sometimes states or governments monitor certain individuals, like exiled activists or foreign politicians. EU investigative reports and parliamentary inquiries document how state actors used mercenary spyware for political surveillance.

4. Operational targets - a smartphone is a goldmine for hackers as it not only has a large amount of personal information stored in files, but also the sensors work as a real-time intelligence source, attackers can harvest GPS, microphone, and camera data for surveillance operations.

How Zero-Click Attacks Work

Exploiting Vulnerabilities In Software And Apps

Zero-click attacks exploit a simple and yet unavoidable reality of modern tech, that is, your apps that run in the background and process the data automatically when they receive it from others. The whole attack is engineered to run the malicious code that is sent by the hacker, once it enters a device, without even tapping the screen.

Zero-click exploits don’t aim for the UI or UX part of the app; they target the background parsers, protocol handlers, and state machine handlers within the messaging, mail, or even VoIP protocols.

• Targeting data handlers - Attackers focus on functions that operate outside the immediate user space, like a JPEG parser, which is not visible to a user, but it automatically generates a thumbnail when needed, or the metadata of push notifications that is handled by the messenger framework. These components handle complex data streams, which makes them a big target.

• Achieving code execution - The Attacker’s goal is to redirect the program’s instruction point. This is done by exploiting a vulnerability, mostly of a memory corruption, it is then used to overwrite a stored return address or function pointer, ie, forcing the CPU to execute the attacker’s payload instead of the legitimate application code.

Data verification loopholes

The core of a zero-click attack depends on a data verification loophole. When an app or operating system receives data from an external source, it blindly trusts the information it contains without properly checking it.

One of the most common way attackers exploit is through integer overflow, which is a type of memory corruption -

1. The setup - the attacker creates a malicious file, for example, an image, and then modifies the file’s internal data that specifies the image’s size. The attacker uses a number so large that when the computer’s code tries to read it, the number overflows the available space for that variable. This fools the OS, and it reads the number as something very small or negative instead of the actual enormous size.
2. The mistake - now, because the OS has mistakenly believed that the file is tiny, it allocates a small, insufficient memory block to hold the data.
3. The payoff - the attacker’s payload is then copied into a small block of memory, and as the payload doesn’t fit, it spills out of the reserved space.
4. The takeover - the final step occurs when the excess data lands in an adjacent memory location and overwrites crucial system instructions, specifically the pointer that tells the program what to do next. The attacker replaces the instruction pointer with the address of their own corrupted code, which leads to successfully hijacking control of the application.

Delivery mechanisms: MMS, emails, messages, calls, or multimedia files

1. Multimedia Messages (MMS) - attackers use the cellular network’s multimedia messaging service to transmit a payload disguised as a media file. The device’s OS or messenger application automatically initiates the media decoding to generate a preview. As explained above, the malicious input targets the memory corruption vulnerability, like buffer overflow, within the decoder, which grants RCE even before a notification appears.

Example - one of the cases where mms delivery system used was Samsung Skia exploit. The full exploit involved a multi stage attack to bypass Address space layout randomization, the attacker first between 50 to 300 sequential probe messages these were designed to crash the app and leaking a specific memory address range whether it is mapped or not, and once the memory position was determined the final MMS with malicious Qmage payload is sent and executed. Even though the vulnerability was fixed this attack is a major example of mms attacks CVE-2020-8899

2. Messaging App Protocols (VoIP and Texting) - this category targets vulnerabilities in the real-time communication protocols of either messaging or calls, which don’t exploit the required automatic handling of the connection data.

Example - VoIP stack buffer overflow in WhatsApp CVE-2019-3568. The attacker initiates a call to the target, and before the user can answer or decline, the target device’s software automatically begins processing the incoming call’s data stream to make the phone ring. The attackers’ malicious data, which is hiding in this stream, is copied to an insufficient memory and triggers a buffer overflow, which corrupts the execution flow and achieves RCE.

3. App level sync - this delivery method exploits vulnerabilities in system services that automatically manage cloud synchronization, scheduling tasks, and mainly background data fetching. These apps have higher security privileges than the basic messaging app does. The method abuses the trust in continuous synchronization and cloud-based features.

Example - ENDOFDAYS Exploit Chain (QuaDream) (2021). The ENDOFDAYS Exploit chain was a zero-click exploit developed by spyware vendor QuaDream. It was used to infect an iPhone by exploiting a vulnerability in iCloud Calendar. The delivery mechanism was an event invitation. The device’s dataaccessd process automatically received the push notification and, as a routine synchronization, attempted to fetch the event details using calDAV. The exploit payload was a malicious XML injection hidden inside the fields of an .ics file, which, when triggered, led to remote code execution without the user ever seeing a notification. The associated malware with this was the Reign spyware ⁵.

The Anatomy of a Zero-Click Malware

Now, let’s know the process it takes to engineer a zero-click capability and do an autopsy on a malware workflow. The following analysis will describe the architecture and operational flow of the reign spyware delivered by a zero-click capability known as ENDOFDAYS.

How Attackers Build Malware for Zero-Click Attacks

The process of developing a zero-click malware requires a multi-stage engineering process designed to easily defeat layered security controls and escape. The main focus is on moving a single memory corruption flaw to full kernel control.

The key to this attack was the malicious XML within the .ics file being processed by dataaccessd without the user’s knowledge.

1. Vulnerability Discovery - the chain begins by identifying an unpatched zero-day vulnerability in a high-privilege system process that automatically decodes untrusted data. This flaw is often a memory corruption issue or a logic flaw in the data parser. For the ENDOFDAYS exploit, the vector was the weakness in how the CalDAV client processed malicious data within iCloud Calendar Invitations, and exploiting parsing during the content rendering.

2. Kernel Privilege Escalation (Local Privilege Escalation) - The RCE payload executes within a strict sandboxed environment. To achieve true system compromise, a second separate kernel zero day is used to perform a sandbox bypass and obtain kernel read/write primitives. This stage uses primitives to defeat low-level mitigations like PAC and KASLR by overwriting kernel structures.

3. Payload Staging - The finalized spyware, identified as KingsPawn is then deployed by kernel access. It is then installed within a high trust system location, XPC staging area /private/var/db/com.apple.xpc.roleaccountd.staging/, enabling the payload to destroy a legitimate OS daemon and inherit permission ⁶.

General Malware Workflow on a Device

Role of Operating Systems, App Frameworks, and APIs in Exploitation

Every zero-click attack explicitly targets and subverts the security controls built into the OS stack. These are the OS stack documented by CitizenLab present in two samples of iOS spyware called KingsPawn.

• Operating System - a successful attack allows the payload to access and modify low-level kernel memory. The subridged binary contains logic to immediately parse a set of 40 kernel memory offsets that are vital for its continuous operation⁶.

• App Frameworks (TCC/XPC) - critical security milestones are compromised and the malware achieves access not only to data but also to system peripherals like camera and mic by performing a process injection or library hijacking into a TCCD. The XPC system is used as a high-trust staging environment for the malware binary itself⁶.

• APIs (Anisette/System Calls) - the anisette framework, which is responsible for cryptographic asset attestation and integrity in Apple services, is compromised via hooking. The cryptographic identity of the device allows the malware to forge trusted credentials and tokens, which are necessary for persistent control and data recovery from cloud endpoints.

Case Studies of Zero-Click Exploits

The mechanics like memory corruption, protocol parsing flaws, and sandbox evasion are best understood by real-world applications; the following case studies will be about the biggest and most severe zero-click attacks that have ever occurred.

FORCEDENTRY (2021)

A. The Target and Date

• Target: Apple iOS 14.x (prior to 14.8), macOS, and watchOS.
• Year: In use since February 2021.
• Attacker: NSO Group - an Israeli mercenary spyware firm.
• Victim Profile: It targeted High-value targets globally, including journalists, human rights defenders, and political dissidents.

B. Delivery Mechanism

The exploit was delivered through a specially crafted, malicious file sent via iMessage. In the file appeared to be a harmless .gif image file, but it was in fact a manipulated Adobe PDF file, which contained the exploit payload. The delivery method allowed the corrupted code to enter the device silently and was processed automatically by the framework of iMessage without even triggering the notification or requiring the victim to ever open the message thread. The use of the .gif extension was an obfuscation technique designed to make sure that the payload reached the automated parser within the OS.

C. The Vulnerability and Exploit (FORCEDENTRY)

The attack successfully defeated Apple’s BLASTDOOR, which was a dedicated security mechanism introduced in iOS 14. BlastDoor (iOS 14), considered a top security mechanism at that time, was added to harden Messages parsing and mitigate prior zero-click techniques (e.g., Kismet), but the hackers bypassed the BlastDoor by hitting the IMTranscoderAgent process that handles the media conversion.

The core vulnerability of this was CVE-2021-30860, which targeted a memory corruption primitive within Apple’s CoreGraphics framework. This then made its way to the parsing of JBIG2 - encoded data, which is a highly efficient image compression format that is used in PDFs.

The attack used a complex chain of memory corruption and logic flaws:

1. Integer Overflow Trigger: The payload exploited an integer overflow flaw in the code that handled JBIG2 encoded data. This trick led to heap buffer underallocation, which meant that the system reserved too little memory for the huge incoming data stream.

2. RCE and Sandbox Break: The memory shortage results in an out of bounds write. This step allowed the malicious code to spill over and overwrite the adjacent data structure. Allowing the hacker to execute code remotely inside the IMTranscoderAgent sandbox.

3. The “Weird Machine” Bootstrap: The RCE payload then deployed a Turing-complete and emulated computer architecture known as “weird machine”. This was totally constructed on the basis of the JBIG2 logical instruction. And then this weird machine executed bootstrapping operations, which allowed the malware to perform sandbox escape.

D. Final Payload Deployment

The initial RCE was followed by a second hack known as Local Privilege Escalation, which gave the attackers kernel read/write primitives and gave the master keys to the entire operating system, enabling the attacker to modify memory space.

With kernel access, the hacker bypassed hardware and software defenses like:

• PAC(Pointer Authentication Codes) - This is used to prevent ROP attacks, but when the kernel primitives are allowed, attackers can defeat the signing or operate on memory before the PAC can even perform a signature check.

• KASLR (Kernel Address Space Layout Randomization) - This is used to make the kernel memory allocation random to stop attacks.

After countering this by LPE, the Pegasus spyware was implanted into the device³. Pegasus gave unrestricted system access for mass surveillance operations and capabilities like reading plain text messages, recording audio, and logging call records.

This extreme threat was sold through the Exploitation-as-a-Service model, and it forced Apple to release an urgent, out-of-band patch (iOS 14.8).

WhatsApp Missed Call Trojan (2019)

A. The Target and Date

• Target : WhatsApp Messenger’s all versions prior to the May 2019 patches.
• Attacker: Associated with the NSO group utilized the zero-click vector “EDEN”.
• Victim: Approximately 1500 high-value individuals, such as human rights defenders, journalists, lawyers, etc.

B. Delivery Mechanism

This attack was a textbook zero-click exploit. It was initiated by an attacker simply placing a WhatsApp voice call to the target’s phone number, and that’s it. The victim did not even need to answer the call or even see the notification.

The exploit payload was injected into the data stream during the call setup phase, and to amplify the stealth, the malware was even designed to delete the call record from the victim’s log after successful installation of the malware, thus leaving no visible evidence of the intrusion.

C. The Vulnerability and Exploit

The main vulnerability associated with this attack was CVE-2019-3568, a critical-severity flaw classified as a heap-based buffer overflow. The weakness resided within WhatsApp’s Voice over IP stack, the software component that processes call data using Real-time Transport Protocol (RTP) and Secure RTCP (SRTCP).

The exploit technique involved:

1. Protocol Manipulation: A specially crafted series of malicious SRTCP packets was sent to the target device during the call negotiation.

2. Memory Corruption: The RTCP packet parser inside the VoIP stack lacked sufficient boundary checks on the data length fields present, and then an attacker exploited this by sending manipulated length fields that triggered an overflow in the allocated heap memory.

3. Achieving RCE: The overflow allowed the attacker’s malicious code to overwrite adjacent memory space, like the FORCEDENTRY malware, and then redirect the program’s execution flow, ultimately achieving RCE within the WhatsApp application.

D. Final Payload Deployment

This zero-click attack too used Pegasus and was used by governments to spy on individuals. The RCE was then used to download and install the Pegasus spyware agent, and then the attackers gained unrestricted access to the whole phone.

The payload provided surveillance capabilities like call monitoring and GPS tracking, even access to the camera and microphone. The detection of this vulnerability led to huge chaos, and WhatsApp responded by issuing an urgent security patch in May 2019. WhatsApp also filed a lawsuit against NSO Group for unlawfully accessing its server to execute the attack.

Impact and Consequences of Zero-Click Exploits

In today’s time, surveillance plays a major role in modern warfare, and the emergence of zero-click exploits has made it profound. These attacks allow an adversary or a state to compromise a device and get hold of its data and operations. The damages are typically catastrophic, like privacy loss and financial credentials leaks, theft of personal and corporate data, leaks of personal photos, and surveillance.

Prominent Attacks and Financial damages

• Human Rights Watch & HRW’s Lama Fakih: Human Rights Watch’s Director Lama Faikh reported that she was targeted five times by the pegasus spyware between April and August 2021, it was an attack that was conducted via zero-click iMessage exploit On November 24, 2021, she was notified by Apple via email, iMessage and alert on the login screen that she might be a target of state sponsored attack and it was being conducted on her personal iPhone⁷.

• Apple vs. NSO Group lawsuit: In Nov 2021, Apple filed a lawsuit against Israel’s NSO Group, which was done to destroy the abuse of state-powered spyware. They asked for a permanent injunction to ban the NSO group from using any Apple software, services, or devices. Apple accused the NSO group of developing and distributing software that allowed attacks on a number of Apple users worldwide. Apple also announced that a $10 million contribution was made to support cybersurveillance researchers and advocates⁸.

• Project Raven & DarkMatter (UAE): Reuters investigated with the help of EX-NSA operatives and revealed how the U.S intelligence operatives were recruited to run the UAE’s Project Raven project, which helped them to hack devices, mainly phones of activists, journalists and foreign governments⁹.

• Jordan / Civic Society targeting: In a forensic investigation conducted by Access Now’s Digital Security Helpline and CitizenLab, it was revealed that approximately 30 to 35 individuals in Jordan, mainly journalists, activists, and lawyers, were targeted by a zero-click attack, and Pegasus was installed in their devices¹⁰.

Conclusion

Lessons Learned & Mitigation Strategies

Patching is necessary for everyone, but it is not sufficient. The long-term defense should be architectural, not reactive. Strategies like these can be proven helpful:

• Isolation: Isolating the parsing functionality into hardened, more secure sandboxes.

• Memory safe languages: Rebuilding parsers using memory safe languages like Rust and Swift can secure a device, as the majority of zero-click chains exploit memory corruption. Big companies like Google, Apple, and Microsoft are already moving core libraries to safer languages.

• Privilege security: Enforcing stricter privilege or permissions separation will stop the attacker from taking control of a device.

• Rapid patching: When CitizenLab exposed Pegasus, Apple patched up their devices and released iOS 14.8 in a short amount of time, thus killing the exploit chain before it could affect more devices. Similarly, WhatsApp also patched CVE-2019-3568 once exploitation was detected, which prevented further mass surveillance.

• Forensics and visibility: Nothing is undetectable; everything leaves a faint footprint. Amnesty’s Mobile Verification Toolkit has been used globally to detect Pegasus traces in the logs and artifacts of the device.

• Defenses: Measures which are currently in the work now include Apple’s Lockdown Mode, which is an example of “attack surface reduction”. Basically, it disables high-risk features like link previews and complex message rendering, which cuts off zero-click vectors before they are even exploitable.

Future Trends: AI, Zero-Click & the Arms Race

AI is quickly becoming not only a weapon but also a weak point for the zero-click attacks. By automating decision making and handling massive input data, AI system have expanded their attack surface. Below is a recent example of the use of AI models for zero-click attacks.

EchoLeak - Zero-Click Prompt Injection Exploit

Echoleak, identified as CVE-2025-32711, was a critical zero-click attack done by prompt injection, which was found in Microsoft 365 Copilot. This exploit allowed the attackers to exfiltrate sensitive data without any user interaction. The attack worked when the attacker embedded malicious instructions within a document or emails, which the Copilot processed automatically and then executed the hidden commands, leading to a potential leakage¹¹.

Zero-click exploits are a fundamental shift in the cyber threat field, as it now moves the security responsibility from the user to the developer. These attacks are the perfect description of interactionless exploitation, and they bypass years of user awareness training easily. They exploit trust boundaries in code, which are meant to “just run”.