You know not to open an email attachment from someone you don’t know. You also avoid downloading unexpected files or questionable popups when you go online. But did you know there’s malware that requires zero action from you? Zero-click malware can infect your device without any interaction on your part.

Traditional malware required the user to click a link, download a file, or execute a program. It often relies on phishing and social engineering to fool you into taking action.

Zero-click malware exploits vulnerabilities in your operating system (OS) or applications. It uses carefully crafted, undetected code to access and execute a payload automatically, and there’s no trigger. If one is present on the system you’re using, you’ll navigate right into it.

This makes zero-click malware attacks all the more dangerous. After all, they happen without your knowledge or consent. Meanwhile, attackers can use zero-click malware to:

  • gain access to sensitive data, such as passwords or financial information;
  • take control of your device;
  • impersonate you and send out messages on your behalf;
  • carry out additional attacks.

Understanding zero-click attacks

Zero-click attacks exploit bugs, misconfigurations, or design flaws in an application or OS. They can come in many forms as attackers:

  • target email applications and messaging apps such as WhatsApp or iMessage;
  • build malicious websites;
  • hack and infect legitimate websites;
  • exploit vulnerabilities in network protocols or services.

In one well-publicized example, Amazon CEO Jeff Bezos suffered a zero-click attack. A WhatsApp message compromised his texts, instant messages, and potentially even voice recordings.

Another well-known attack targeted the WhatsApp accounts of journalists, activists, and human rights defenders in several countries. The attackers installed the Pegasus spyware on the targeted device simply by placing a phone call to the device, even if the user did not answer the call. The malware could extract messages, photos, contacts, and other sensitive data from the device, as well as activate the device's camera and microphone to record the user's surroundings.

How to protect against zero-click software

Protect against zero-click malware by keeping your device's software up to date. These attacks are often designed to exploit unknown vulnerabilities in software, enabling automatic updates can help ensure you run the latest, most secure software.

Also, install and use security tools such as antivirus software and firewalls, which help detect and prevent the malware from infecting your device, and remain cautious about clicking on links or downloading files from unknown sources.

Further reduce your risk by using strong passwords and two-factor authentication. Plus, limit your device exposure to public Wi-Fi networks and unknown devices.

In case of a zero-click malware or other types of data breach, regularly back up your data, too. Store backups on a separate device that uses strong encryption and two-factor authentication, or use a secure cloud storage service.