It is common knowledge that your smartphone is a popular target for exploitation. Normally, phishing or malware campaigns rely on a user action: clicking on a link, opening a document, or installing a rogue app. You see these all the time from unpaid toll texts sent to your phone to emails spoofing popular brands asking you to confirm your login credentials or reschedule a failed packaged delivery.
To protect ourselves, we check the sender name, avoid unknown links and scrutinize message content. And we all know our boss doesn’t need help buying gift cards.
The risks are real, but controllable through proper training and awareness.
Zero-click attacks, in contrast, are radically different. They require no user action to exploit your phone and your data. The attacker doesn’t need you to click a link, open a file, or approve a prompt.
This is because zero-click attacks exploit automated processes on your phone that “listen” to incoming messages or data to your device. For example, simply receiving a text or a phone call can result in your phone being compromised.
Zero-click attacks typically exploit flaws in messaging stacks, media parsers, interprocess services or other background subsystems. A vulnerability (e.g., memory corruption, buffer overflow, or use-after-free) is triggered by a crafted message, image, or data payload that gives the attacker control—all without the user ever knowing.
Successful exploits are often not discovered until well after the initial attack because few phones are protected with advanced security tools that are able to identify spyware attacks in real time and there are only a handful of organizations that have the skills to do this kind of forensic analysis, mostly serving high-profile civil society members.
“Zero-click exploitation isn't just a technical problem—it's a measurement problem,” said Ryan Whitworth, cybersecurity architecture and engineering lead at venture capital firm a16z. “Most organizations have no visibility into whether their mobile devices are compromised today, yesterday, or six months ago. That gap between what people assume is secure and what people can actually verify is where real risk lives.”
Recent Examples
One active exploit discovered by iVerify in early 2025 targeted companies across industries including media, politics, and technology. NICKNAME, as this vulnerability was dubbed, was the first public evidence of zero-click mobile exploitation in the U.S.
Also in 2025, researchers at Oligo Security discovered a set of vulnerabilities in Apple’s AirPlay protocol enabling zero-click remote code execution (RCE), demonstrating that the attack surface is not limited to messaging apps but can extend to media, streaming or other services that are open to the outside world.
Perhaps one of the most well-publicized zero-click attacks was against WhatsApp. A commercial spyware vendor had discovered a chain of vulnerabilities that infected a target phone with a phone call, even if the call wasn’t answered. Parent company Meta took the spyware vendor to court, and a California judge awarded almost $170 million in damages.
Zero-click attacks are more prevalent than commonly appreciated. Research iVerify undertook last year returned 1.5 Pegasus infections per 1,000 device scans, and that doesn’t include scans for other spyware strains such as Predator or Paragon Graphite.
Damage to Enterprises
For businesses, zero-click attacks pose varied risks that can lead to financial and reputational harm:
- Undetected Footholds: Because there’s no overt action, intrusions may go unnoticed for months, undermining trust in traditional defenses.
- Espionage and Exfiltration: Attackers can quietly siphon intellectual property, trade secrets, credentials, or internal communications without raising alerts.
- Credential Compromise and Lateral Movement: Once a device is controlled, attackers often harvest tokens or use the device as a pivot into cloud environments, corporate networks, or SaaS accounts.
- Reputation, Regulatory, and Compliance Fallout: Breach of sensitive data or systems can lead to financial loss, regulatory penalties and reputational damage—especially given the highly sensitive nature of the data on our mobile devices.
How to Stay Safe
Just because a device can be infected without action doesn’t mean that there’s nothing you can do to mitigate these attacks. Good cyber hygiene, including keeping your device up to date, is always a best practice regardless of what other protections exist in your environment.
One simple way to help protect against zero-click attacks is rebooting your phone daily. Most zero click exploits exist in memory only—they generally don’t achieve persistence across reboots, so rebooting your phone can, in theory, make a spyware infection more difficult.
For larger enterprises, and those concerned about being more vigilant, there are also tools that can help identify and mitigate zero-click attacks.
iVerify has developed novel technology to proactively hunt and identify incidents of zero-click attacks like Pegasus and Predator, enabling enterprises to act in near real time to isolate infected devices from corporate services, prevent lateral movement, and mitigate the impact of an attack.
And for users of Cape’s cellular service, enterprises have access to all telemetry data for all phones on the global telecom network. This gives them the unique ability to do forensic analysis and block identified malicious traffic over telecom networks.
Zero-click attacks represent a rapidly expanding class of threats that bypass traditional security assumptions and render user vigilance alone insufficient. Their ability to compromise devices silently, evade detection for long periods and provide attackers with direct access to sensitive corporate data makes them uniquely dangerous for individuals and enterprises alike. Like any ecosystem, effective defense requires a layered approach. Mobile is no different. Together, Cape and iVerify form a formidable defense.
To learn more about iVerify, visit iverify.io.
