Zero-click attacks are targeting social media - here's how to protect yourself
Not just iMessage and WhatsApp, social media are at high risk of zero-day hacks too
While we all learn to avoid clicking on dodgy links and look out for scams, this week we got reminded that there are some silent threats out there we also need to be alert of—zero-click attacks.
Video-sharing app TikTok confirmed, as first reported by Forbes, that a few celebrities' accounts, including the likes of CNN and Paris Hilton, were compromised by simply opening a DM. Attackers reportedly took advantage of a zero-day vulnerability in the messaging component to execute the malicious code as soon as the message was opened.
The US National Security Agency (NSA) suggested all smartphone users turn their devices off and then back on once every week to protect against zero-click attacks but as the NSA admits, the trick of turning on and off your mobile will only sometimes prevent these attacks from being successful. However, there are still things you can do to protect yourself—and security software like the best VPNs can help you out.
What is a zero-click attack?
As the name suggests, a zero-click attack or exploit doesn't involve any action from the victim. Here, the malicious software can be installed on the targeted device without the owner clicking on any link or downloading any dangerous files.
This peculiarity makes these types of attacks really difficult to spot as well. This is simply because the lack of interaction considerably reduces traces of malicious activity.
Cybercriminals take advantage of unpatched vulnerabilities in the software code to implement zero-click exploits, these being called zero-day vulnerabilities. As experts at security firm Kaspersky explain, apps that provide messaging or voice calling features are a popular target as "they are designed to receive and interpret data from untrusted sources"—hence, more vulnerable.
Once a device vulnerability is successfully exploited, hackers can inject malware, like info stealers, to scrape all your sensitive data. Worse still, they can silently install spyware that will work in the background to record all your activities.
Get daily insight, inspiration and deals in your inbox
Sign up for breaking news, reviews, opinion, top tech deals, and more.
This is exactly how the Pegasus spyware managed to infect so many victims—more than 1,000 individuals across 50 countries, according to the 2021 joint investigation—without them even realizing it.
The same year, security researchers at Citizen Lab confirmed that using two zero-click iMessage exploits allowed nine Bahraini activists to have their iPhones successfully hacked with Pegasus spyware. In 2019, attackers took advantage of a WhatsApp zero-day vulnerability to load spyware within communications via a missed call.
As the celebrities' TikTok hack story highlights, social media platforms are becoming the next favorite target. Meta, for instance, recently fixed a similar vulnerability that could have allowed threat actors to hijack any Facebook account, according to a Nepalese researcher.
🚨PSA🚨Apple users, update your devices as soon as possible!You are vulnerable to zero-click attack. pic.twitter.com/HuF3xaNhWdSeptember 9, 2023
How to stay safe against zero-click attacks
Zero-click attacks are typically highly targeted at prominent figures such as politicians, people affiliated with big corporations, journalists, and activists. However, the truth is that any of us can potentially fall victim at some point.
The good news is that there are still some steps you can take to minimize the risk of being vulnerable to zero-click exploits.
First and foremost, I suggest keeping your device's operating system and all apps you have downloaded up to date at all times. This is very important as developers generally fix security bugs with new updates. So, it may be just the case they already patched the zero-day vulnerability cybercriminals would otherwise exploit.
Overall, you should maintain good cyber hygiene. This also includes deleting apps you no longer use, downloading new applications from official stores only, regularly backing up your systems, and using your device password protection.
While a virtual private network (VPN) mainly encrypts internet connections and spoofs your IP address, some top providers now offer advanced protections like ad and malware blockers. This can help you to detect and block malicious software from infecting your device. On this point, I recommend checking NordVPN, ExpressVPN, and Surfshark.
However, a VPN with built-in anti-malware tools cannot replace the protection of a comprehensive antivirus. So, I suggest looking for reliable software and installing it on your smartphone as well.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com