CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
All over the world, people have become dependent on mobile devices for everyday activities, such as banking, communications, e-commerce, and transportation. This reliance is far more pronounced in countries with high digital-penetration rates, where it is commonplace for users to own multiple devices. This ubiquity has resulted in mobile devices becoming attractive conduits for hackers to compromise victims*.
One category of exploits that is becoming increasingly prominent is the zero-click attack, so named as they ostensibly require no action on the part of victims to trigger. Given its stealth and sophistication, zero-click attacks now pose a significant threat, and this issue of CyberSense focuses on zero-click attacks against mobile devices and its security implications.
*Fuelled by the COVID-19 pandemic, the volume of malware detected on mobile devices increased 15% in 2020 as compared to 2019. 2021 has not ended, but Kaspersky has reported similarly high detections this year with the trend set to continue.
WHAT ARE ZERO-CLICK MOBILE ATTACKS?
Cyber-attacks against mobile devices typically involve social engineering techniques which usually require user interaction with specific lures, such as malicious URL links and attachments. When the unsuspecting user clicks on the link, a malicious script/code is executed, enabling the hacker to compromise the device; hence, the success of such attacks depends largely on user carelessness and negligence.
Conversely, zero-click mobile attacks are conducted without the need for user interaction, eliminating the human factor from the process. Such attacks are stealthy in nature and most of the time, take place without the victims’ knowledge – the latter usually have no means of knowing “how” or “when” a compromise happens.
Nonetheless, while many zero-click attacks are sophisticated, they are certainly not magic, and rely on hardware and software vulnerabilities, as well as programming bugs, to succeed. Typically, a specially crafted block of data is sent to a target device over a wireless connection, and exploits an unknown (or unpatched) vulnerability, allowing the hacker to access the device and its contents. In particular, voice calling or messaging applications are popular vectors of zero-click attacks, given that they are near-universal in mobile devices. Their size and complexity also mean such applications frequently possess exploitable vulnerabilities, especially if integrated with other applications and add-ons, making them ideal intrusion vectors for hackers.
NOTABLE ZERO-CLICK ATTACKS AND VULNERABILITIES IN MOBILE DEVICES
While zero-click mobile attacks have risen in prominence, they are not new. Popular Operating Systems (OS) such as Android and iOS have been targeted by zero-click exploits over the past decade. Some of these exploits have been observed taking place in the wild, while other serious vulnerabilities were uncovered by cybersecurity researchers before they could be weaponised:
- In 2021, the Pegasus spyware garnered global attention given how it was allegedly used against human rights activists, journalists, policymakers and lawyers via their iOS and Android phones. Pegasus was said to have the capability to extract messages, photos and e-mails, obtain the target’s location, record calls and secretly activate microphones and cameras. Pegasus could be covertly installed on target devices via techniques such as a missed WhatsApp call, or a message sent to a user’s phone that does not trigger a notification.
- In 2021, ZecOps researchers discovered a vulnerability which could enable hackers to remotely compromise iOS devices that were connected to tailored Wi-Fi access points. It was determined that no user interaction was required for the device to be compromised, as the device could be vulnerable when its Wi-Fi was left on default settings and placed in proximity of a malicious access point.
- The findings mentioned above were built on another ZecOps discovery in 2020, of a vulnerability in Apple’s macOS Mail that allowed hackers to remotely inject malware into Apple devices, which could result in leakage, modification, or deletion of victims’ e-mails. Hackers could execute their attacks by merely sending a malicious e-mail to victims, causing their devices to be compromised without the users even accessing their e-mails. Moreover, there was no obvious indication of any compromise, other than the application slowing down temporarily.
- In 2020, Samsung released a security update for a vulnerability that affected its Android devices since 2014. The vulnerability resided in Skia – an open-source graphics library that supported numerous mobile applications, including multimedia messages (MMS), chat messengers and e-mails. Hackers could remotely access the permissions associated with Samsung Messenger simply by sending a specific MMS with a malicious code to target devices without the need for users to accept the file transfer.
- In 2015, security researchers discovered an Android trojan named Shedun that allowed hackers to install it on devices even if the victims have explicitly rejected the installation. The malware leverages the Android Accessibility Service that allows the OS to interact with applications on behalf of visually impaired users, and subsequently force the installation of the payload.
- In 2010, researchers demonstrated how a GSM vulnerability could potentially allow hackers to intercept cell phone calls and text messages, with equipment costing a mere US$1,500. The hack could be executed by connecting mobile devices to a phony cell phone tower when outgoing calls were made. At that time, GSM-connected phones accounted for 80% of mobile phones globally, and the demonstration already foreshadowed the threat that zero-click attacks would pose to mobile devices.
Given its stealth and the fact that user interaction is not required to trigger the exploit, anyone – even technically adept mobile users – can become a victim of zero-click attacks. Users must therefore be proactive in protecting themselves against them; while not fool-proof, some measures can significantly reduce the likelihood of a successful zero-click attack. The steps that users can adopt are:
- Keeping mobile devices’ operating systems and applications up to date to ensure any known critical vulnerabilities are patched;
- Refraining from jailbreaking devices or installing third-party applications from untrusted sources, as these may weaken security controls and mechanisms in devices; and
- Being mindful and aware of zero-click attacks, and use strong, multi-factor authentication for accounts, especially those that enable access to critical networks.
A healthy dose of vigilance and cyber hygiene will certainly improve users’ posture against zero-click mobile attacks and minimise repercussions of a successful attack.
Forbes, Malwarebytes, Proofpoint, Security Intelligence, Threatpost, Verizon, Wired, ZDNet, ZecOps