Zero-click attacks have evolved from being used to primarily target high-profile people for information to becoming a threat to anyone with a smart device.
In 2025, most people are inseparable from their laptops and smartphones. With that familiarity has come a wariness of the dangers of clicking on unsolicited emails, SMS, or WhatsApp messages.
But there is a new and growing menace called zero-click attacks, which have previously targeted only VIPs or the very wealthy because of their cost and sophistication.
A zero-click attack is a cyberattack that hacks a device without the user clicking anything. It can happen just by receiving a message, call, or file. The attacker uses hidden flaws in apps or systems to take control of the device, with no action needed from the user and the user remains unaware of the attack.
“Although public awareness has increased recently, these attacks have steadily evolved over many years, becoming more frequent as smartphones and connected devices proliferated,” Nathan House, CEO of StationX, a UK-based cybersecurity training platform, told The Epoch Times.
“The key vulnerability is in the software, rather than the type of device, meaning any connected device with exploitable weaknesses could potentially be targeted,” he said.
Aras Nazarovas, an information security researcher at Cybernews, told The Epoch Times why zero-click attacks usually target VIPs, rather than ordinary individuals.
“Since finding such zero-click exploits is difficult and expensive, most of the time such exploits are used to gain access to information from key figures, such as politicians or journalists in authoritarian regimes,” he said.
“They are often used in targeted campaigns. Using such exploits to steal money is rare.”
In June 2024, the BBC reported that social media platform TikTok had admitted that a “very limited” number of accounts, including those of media outlet CNN, had been compromised.
While ByteDance, the owner of TikTok, did not confirm the nature of the hack, cybersecurity companies such as Kaspersky and Assured Intelligence suggested it stemmed from a zero-click exploit.
“The part that requires high levels of sophistication is finding bugs that allow such attacks and writing exploits for these bugs,” Nazarovas said.
“It has been a billion-dollar market for years, selling zero-click exploits and exploit chains. Some gray/dark market exploit brokers often offer $500,000 to $1 million for such exploit chains for popular devices and apps.”
Nazarovas added that while ordinary users have been hit in the past by zero-click ‘drive-by’ attacks. These are attacks that emerge after the unintentional installation of malicious software onto a device, often without the user even realizing it. They have become more infrequent with the growing gray market for such exploits.
House said zero-click exploits often seek out vulnerabilities in software and apps that are expensive to discover, which means the perpetrators are usually “nation-state actors or highly-funded groups.”
