Zero-click attacks are among the most dangerous cyberattacks because they can compromise a device without the victim clicking a link, opening an attachment, or taking any action at all. These attacks typically target messaging apps, email clients, or mobile operating systems that automatically process incoming data such as images, calls, or messages.

This guide explains how they work, who’s at risk, and what practical steps you can take.

Quick Answer: What is a zero-click attack?

A zero-click attack is a cyberattack that executes without requiring any interaction from the victim.

Instead of tricking someone into clicking a malicious link or downloading a file, attackers exploit vulnerabilities in software that automatically processes incoming content. This can include:

  • Text messages
  • Multimedia files
  • VoIP calls
  • Email previews
  • Push notifications
  • Messaging apps such as WhatsApp or iMessage

In many cases, the victim never sees the malicious message because the exploit runs silently in the background and may delete evidence afterward.

Why zero-click attacks are so dangerous

Most cyberattacks rely on social engineering. Attackers typically need users to do one of the following:

Zero-click attacks remove that requirement entirely. This makes them particularly dangerous for journalists, executives, government officials, activists, and security researchers who may already be targeted by sophisticated threat actors. However, ordinary users are not completely immune, especially as exploit techniques become more widely available.

Zero-click vulnerabilities are extremely valuable. Software vendors and criminal organizations pay handsomely for privately disclosed zero-click exploits. For example, Apple offers rewards of up to $2 million for researchers who discover certain zero-click iPhone exploits. Google Bug Hunters offers up to $1.5 million for qualifying Android exploit chains.

How zero-click attacks work

Although individual attacks vary, most follow a similar pattern:

  1. An attacker identifies a vulnerability in a messaging or email application — specifically in the code that parses incoming data before you’ve interacted with it.
  2. They send a specially crafted payload to your device. This could be a hidden text, a malicious image, a voicemail, a video, or even a missed call — anything the target application will automatically process.
  3. The vulnerability is triggered when the app parses incoming data, allowing an attacker to execute code remotely.
  4. Malware is installed silently. Spyware, trojans, or surveillance tools give the attacker access to your device contents, communications, or controls.
  5. Evidence is erased. Because the attacker typically has full control of the infected device, they can delete the original message, leaving no obvious trace.
  6. The specific vulnerability varies case by case. What defines a zero-click attack isn’t what is exploited — it’s the absence of any required user action.

Real-world zero-click attacks

These aren’t theoretical scenarios. Several high-profile cases have been publicly documented.

WhatsApp — Paragon spyware (2025)

WhatsApp detected and disrupted a zero-click campaign targeting around 90 users across more than two dozen countries, including several in Europe. Victims were sent malicious documents that required no interaction to compromise their devices. WhatsApp attributed the attack to Paragon, an Israeli spyware firm that sells surveillance tools to government clients and markets itself as an ethically responsible operator.

Apple iMessage — “ForcedEntry” (2021)

Researchers at Citizen Lab discovered that an iPhone belonging to a Bahraini human rights activist had been compromised using a zero-click exploit in iMessage. The attack, dubbed “ForcedEntry,” bypassed Apple’s BlastDoor, a sandboxing feature designed to filter malicious iMessage data. It was used to deploy Pegasus spyware, developed by the Israeli firm NSO Group, and was active on iOS 14 devices at the time of discovery. Apple patched the vulnerability after Citizen Lab’s disclosure.

WhatsApp — missed call exploit (2019)

A zero-click vulnerability in WhatsApp allowed attackers to install spyware simply by placing a missed call to a target’s device. The call exploited a flaw in WhatsApp’s voice call handling code. The spyware was injected during the data exchange that occurred as part of the call — no answer required. This attack was also attributed to NSO Group.

Jeff Bezos (2018)

Amazon’s then-CEO received a WhatsApp message from Saudi Crown Prince Mohammed bin Salman containing a video file with embedded malicious code. The code silently exfiltrated data from Bezos’s iPhone — including text messages and potentially voice recordings — over several months before being discovered.

Who is actually at risk?

Zero-click exploits are extremely valuable, which means they’re rarely wasted on ordinary users. In practice, they’re deployed against high-value targets: journalists, activists, politicians, executives, and diplomats.

That said, the risk isn’t zero for everyone else. As these techniques become more documented and potentially more accessible over time, the threat landscape can shift. The underlying lesson that your device can be compromised without any mistake on your part is worth understanding, regardless of who you are.

Can you tell if you’ve been targeted?

Detecting a zero-click attack is genuinely difficult. There are no strange pop-ups and no suspicious emails to recall clicking. Indicators, if they exist at all, are buried in network logs: unusual IP addresses or domains your device connected to without your knowledge.

Forensic analysis of this kind requires specialist tools and expertise. Citizen Lab used mobile device forensics software to identify the ForcedEntry attack. For most users, this isn’t a realistic option.

If you work in a sensitive field and have reason to believe you’ve been targeted, your best option is to consult a professional digital security organization, such as Access Now’s Digital Security Helpline, which supports journalists and activists at risk.

How to reduce your exposure

No measure will make you immune to a well-funded zero-click attack. But these steps reduce your overall attack surface and limit damage if a device is compromised.

Keep software updated

Zero-click exploits rely on unpatched vulnerabilities. Installing security updates promptly (especially for messaging apps and your operating system) closes known attack vectors. The ForcedEntry exploit, for example, was patched once disclosed.

Reduce your attack surface

  • Delete messaging apps you don’t use. Each one is a potential entry point.
  • Avoid jailbreaking or rooting your device. This disables core OS security protections.
  • Only install apps from official stores (App Store, Google Play), which apply some vetting.

Limit what a compromised device can expose

Use a separate device

If you’re involved in journalism, activism, legal work, or finance, consider using a separate device for personal and professional activity. This limits the blast radius if one device is compromised.

Reboot regularly

Some security researchers also recommend regularly rebooting your device. While this won’t remove persistent malware, it can disrupt certain spyware variants that don’t survive a reboot (Pegasus, in some versions, required reinstallation after reboot).

Summary

Zero-click attacks are technically sophisticated, though rarely used against ordinary users. Once executed they are extremely hard to detect or reverse. The most effective defence is keeping software updated, and minimising the apps installed on your devices. For zero-click attacks, the risk lies in what your apps process in the background without you knowing, rather than what you click.