‘Zero-click’ hacks are growing in popularity. There’s practically no way to stop them.
Once the preserve of a few intelligence agencies, the technology for zero-click hacks is now being sold to governments by a few companies, the most prominent of which is Israel’s NSO Group.
As a journalist working for the Arab news network Alaraby, Rania Dridi said she’s taken precautions to avoid being targeted by hackers, watching out for suspicious messages and avoiding clicking on links or opening attachments from people she doesn’t know.
Dridi’s phone got compromised anyway with what’s called a “zero-click” attack, which allows a hacker to break into a phone or computer even if its user doesn’t open a malicious link or attachment. Hackers instead exploit a series of security flaws in operating systems — such as Apple’s iOS or Google’s Android — to breach a device without having to dupe their victim into taking any action. Once inside, they can install spyware capable of stealing data, listening in on calls, and tracking the user’s location.
With people more wary than ever about clicking on suspicious links in emails and text messages, zero-click hacks are being used more frequently by government agencies to spy on activists, journalists and others, according to more than a dozen surveillance company employees, security researchers and hackers. Once the preserve of a few intelligence agencies, the technology needed for zero-click hacks is now being sold to governments by a small number of companies, the most prominent of which is Israel’s NSO Group.
Bloomberg News has learned that at least three other Israeli companies — Paragon, Candiru and Cognyte Software — have developed or sold zero-click hacking tools, according to former employees and partners of those companies, demonstrating that the technology is becoming more widespread.
» READ MORE: FBI confirms it bought spyware from Israel's NSO Group
A potential victim can take steps that might reduce the chances of a successful zero-click attack, including keeping a device updated. But some of the more effective methods — including uninstalling messaging apps that hackers can use as gateways to breach a device — aren’t practical because people rely on them for communication, said Bill Marczak, a senior research fellow at Citizen Lab, a research group at the University of Toronto that focuses on abuses of surveillance technology.
Dridi, based in London, said the hack forced her to shut down some of her social media accounts and left her isolated and fearful for her safety.
“They ruined my life,” said Dridi, who suspects she was targeted because of her reporting on women’s rights in the Arab world or links to other journalists who are high-profile critics of Middle Eastern governments..”
Human rights groups have tied zero-click technology from NSO Group to attacks by governments on individuals or small groups of activists. A 2019 lawsuit filed by Facebook accused NSO Group of using a zero-click hacking method to implant spyware on the devices of 1,400 people who used its WhatsApp service. NSO Group has disputed the allegations.
The attacks can be difficult for security experts to detect and pose new challenges for technology giants such as Apple and Google as they seek to plug the security holes that hackers exploit.
“With zero clicks, it’s possible for a phone to be hacked and no traces left behind whatsoever,” Marczak said. “You can break into phones belonging to people who have good security awareness. ... You don’t have to convince them to do anything. It means even the most skeptical, scrupulous targets can be spied on.”
Sometimes a zero-click hack doesn’t go as planned and leaves traces that investigators can use to identify that a device has been compromised. In Dridi’s case, administrators at Alaraby noticed suspicious activity on their computer networks and followed a digital trail that led them to her phone.
Attackers use zero-click hacks to gain access to a device and then can install spyware — such as NSO Group’s Pegasus — to secretly monitor the user. Pegasus can covertly record emails, phone calls and text messages, track location, and record video and audio using the phone’s inbuilt camera and microphone.
Marczak and his colleagues at Citizen Lab analyzed Dridi’s iPhone XS Max and found evidence that it had been infected at least six times between October 2019 and July 2020 with NSO Group’s Pegasus. On two occasions in July 2020, Dridi’s phone was targeted in zero-click attacks, concluded Citizen Lab, which attributed the hacks to the United Arab Emirates government.
Dridi is now pursuing a lawsuit against the UAE. A representative for the UAE Embassy in Washington didn’t respond to messages seeking comment.
Marczak, from Citizen Lab, said most of the documented cases of zero-click hacks have been traced back to NSO Group. The company began deploying the method more frequently around 2017, he said.
NSO Group, blacklisted by the U.S. in November for supplying spyware to governments that used it to maliciously target officials, journalists, businesspeople, activists and others to silence dissent, has said it sells its technology exclusively to governments and law enforcement agencies as a tool to track down terrorists and criminals.
“The cyber intelligence field continues to grow and is much bigger than the NSO Group,” a spokesperson for the company said. The spokesperson said that NSO Group has terminated customer relationships due to “human rights issues” and won’t sell cyber intelligence products to about 90 countries.
In December, security researchers at Google analyzed a zero-click exploit they said was developed by NSO Group, which could be used to break into an iPhone by sending someone a fake GIF image through iMessage. The researchers described the zero-click as “one of the most technically sophisticated exploits we’ve ever seen,” and added that it showed NSO Group sold spy tools that “rival those previously thought to be accessible to only a handful of nation states.”
"The attacker doesn't need to send phishing messages; the exploit just works silently in the background," the Google researchers wrote.
Although NSO Group has attracted the most media attention, at least four other Israeli companies have obtained or developed zero-click hacking technology, according to employees of those companies, surveillance professionals and other media reports.
Tel Aviv-based Candiru, a surveillance company that employs more than 120 people, partnered with another Israeli firm, Cognyte, to offer governments zero-click spyware that can be installed on Android and iOS mobile devices, said two former Candiru employees.
Paragon, a firm founded by former members of Israeli’s Unit 8200 surveillance agency, has developed its own zero-click hacking technology that it has marketed to governments in Europe and North America as a means to gain access to encrypted messaging apps such as WhatsApp and Signal, according to two former Paragon employees.
A fourth Israeli company, QuaDream, also can compromise Apple iPhones using zero-click hacks, Reuters reported this month.
Hila Vazan, a spokeswoman for Candiru, said the company hadn’t developed or sold any zero-click hacking technology, though she acknowledged that Candiru had “explored a collaboration” with Cognyte to offer it to customers. The U.S. also blacklisted Candiru in November for supplying spyware to governments that used its technology maliciously.
Paragon declined to comment. Representatives for Cognyte and QuaDream didn't return messages seeking comment.
One woman’s account
Carine Kanimba’s experience shows how difficult it can be to prevent a zero-click hack. For the last two years, she has been campaigning for the release of her father, Paul Rusesabagina, a critic of the Rwandan government who was “forcibly disappeared” in August 2020, according to Human Rights Watch. Last year, Rusesabagina, the subject of the movie Hotel Rwanda, was convicted of terrorism charges in a Rwandan court, a proceeding his supporters say was politically motivated.
Kanimba, a joint U.S.-Belgian citizen, said she knew there was a possibility that she might be under surveillance. In October 2020, her security advisers were so concerned that they destroyed her mobile phone. She purchased a new iPhone, but last spring, researchers at Amnesty International informed Kanimba that it had been breached in a zero-click hack and infected with NSO Group's Pegasus.
A forensic analysis of her device, reviewed by Bloomberg, found that an attacker had used iMessage to send malicious push notifications.
"I never saw any message," Kanimba said. "The message arrives and disappears straight away, or it arrives and you cannot see it. So there are no clicks, no action from you. It just infects."
A representative for the Rwandan government didn't respond to a message seeking comment.