No click required — how zero-click spyware infects a phone that did nothing wrong

Published Jul 17, 2026 by Xiph

Almost every piece of security advice you have ever absorbed rests on one assumption: that you are the last line of defence. Don’t tap suspicious links. Don’t open attachments from strangers. Think before you click. It is good advice, and against most attacks it works. Then there is the category of attack where it is worthless. A zero-click exploit can plant spyware on a phone through a single incoming message the target never opens — never even sees, in some cases — because the flaw being exploited lives in what the phone does with data before anything reaches the screen. No tap, no mistake, no warning. Here is how that is possible, and what actually helps — because some things do.

No click required — how zero-click spyware infects a phone that did nothing wrong

What a zero-click attack actually is

A zero-click attack is exactly what it sounds like: a compromise that requires no action from the victim at all. No link tapped, no file opened, no prompt approved. The attacker sends something to your phone — a message, an image, a call, a calendar invite — and the act of the phone receiving and processing it is enough.

Most zero-clicks ride on zero-day vulnerabilities — flaws nobody on the defending side knows exist yet — which is why they routinely defeat brand-new, fully patched devices. Working chains change hands for millions, which long kept them the preserve of commercial spyware vendors like the NSO Group and their government clients. Pegasus made the technique famous.

How can a message infect a phone nobody opened?

The short answer: your phone opens it for you.

Long before a message appears on your screen, the device has done a surprising amount of silent work on it. It has decompressed the image so it can draw a thumbnail. Parsed the PDF to build a preview. Decoded the video, rendered the emoji, fetched the link preview, read the metadata, and decided what notification to show you. Every one of those steps involves code — millions of lines of it, much written years ago in programming languages that make memory mistakes easy — running automatically on data supplied by a stranger.

A zero-click exploit is a piece of data built to break that code. Feed a parser a file malformed in precisely the right way and it can be tricked into a memory error — writing where it shouldn’t, mistaking data for instructions — until the attacker’s code, smuggled inside the file, is running with the parser’s own privileges. The 2021 FORCEDENTRY exploit remains the canonical example: NSO sent target iPhones a file labelled as a GIF that was really a booby-trapped PDF. Apple’s image-processing code obligingly parsed it, and researchers who later dissected it found it had built a rudimentary computer inside the image parser to run its own logic. All of it happened at the moment of delivery. The target saw nothing.

That is why “the phone did nothing wrong” is the honest framing. It did exactly what it was designed to do. The design is the attack surface.

A short history of the message you never saw

  • 2019 — the missed call. A flaw in WhatsApp’s voice-calling let attackers deliver Pegasus to roughly 1,400 phones worldwide. Victims didn’t have to answer; the call itself was the infection. That campaign produced the NSO Group verdict we covered in June.

  • 2021 and 2023 — iMessage under siege. FORCEDENTRY’s fake GIF was followed in 2023 by BLASTPASS, a chain that infected fully up-to-date iPhones through malicious images buried in innocuous-looking attachments. Both delivered Pegasus. Both required nothing from the victim.

  • 2025 — the year it got crowded. WhatsApp disclosed that spyware from Israeli vendor Paragon had hit around 90 users, journalists included, via malicious PDFs dropped into group chats. In August, a WhatsApp flaw was chained with an Apple image-handling bug for zero-click compromise through a crafted picture. And researchers uncovered LANDFALL — commercial-grade spyware slipping onto Samsung Galaxy phones since mid-2024 inside booby-trapped image files sent over WhatsApp, recording microphones and tracking locations from a photo nobody tapped.

  • 2026 — old flaws, new scale. In February, Apple issued an emergency patch for a vulnerability that had sat in iOS since roughly the first iPhone, exploited in what Apple called an “extremely sophisticated attack” on specific targets. Weeks later came DarkSword: a zero-click kit spread through compromised, everyday websites, infecting thousands of ordinary iPhone users and looting crypto wallets, passwords and messages before erasing its tracks.

Two patterns stand out. Image parsers and messaging apps keep appearing — code that processes media automatically is the front line. And the trajectory runs from hand-picked espionage targets towards ordinary users. The tools are trickling down.

Why “don’t click suspicious links” doesn’t help

  • There is nothing to notice. Awareness training teaches people to spot the dodgy link. Zero-click never engages human judgement at all — the world’s most paranoid user is compromised at the same rate as the most careless one.

  • The evidence can vanish. Several campaigns delete the malicious message after delivery, and some implants live only in memory. Victims don’t just miss the attack; they may never find a trace afterwards.

  • Antivirus is looking in the wrong place. The exploit executes inside legitimate system processes — the image parser, the messaging service — territory mobile security apps have very limited visibility into.

None of this means abandoning the old advice. Most spyware that reaches ordinary Australians still arrives the traditional way — a tapped link, a shady app, a social engineering play. Zero-click is the layer above: the attack that works even when you do everything right.

Read more: How to protect yourself from spyware

The Australian picture

It is tempting to file zero-clicks under “problems for foreign dissidents.” Resist that. Australians carry the same iPhones and Galaxy handsets as everyone else, so the same exploit chains land here on day one. And the people these tools are built for — senior executives, lawyers on sensitive matters, journalists, politicians and their staff, defence and critical-infrastructure personnel, high-net-worth individuals, and diaspora communities watched from abroad — are all part of the local population.

Australia has backed the international push to rein in commercial spyware through the Pall Mall Process, but accountability moves slowly while the industry keeps selling. Meanwhile, most Australian security culture is still built around the phishing drill — the think-before-you-click poster in the office kitchen — which trains precisely the muscle zero-click never touches. And the 2026 shift towards mass zero-click campaigns means the defence of “I’m not important enough to target” is expiring: a crypto wallet and a saved-password file are reason enough.

What genuinely reduces the attack surface

You cannot out-spot an attack with nothing to spot. So the goal changes: shrink what the phone will silently process, close known holes fast, and make the device itself hostile ground.

  • Reduce what your phone processes without asking. Apple’s Lockdown Mode exists for exactly this threat — it blocks most message attachment types, link previews and other complex processing that zero-clicks abuse, at a modest cost in convenience. On any platform, switch off auto-downloading media in WhatsApp and its peers, and delete messaging apps you don’t use. Every app that can receive messages from strangers is a door; fewer parsers, fewer doors.

  • Patch like it matters — because here it truly does. A zero-click chain dies the day its flaw is fixed: Samsung’s patch killed LANDFALL’s entry point, and Apple’s February update closed a door that had stood open for nearly two decades. Turn on automatic updates and install emergency security patches the day they ship, not at the weekend. Retire handsets that no longer receive updates — an unsupported phone is a standing invitation. Newer hardware helps too: Apple’s latest iPhones ship with hardware-level memory protections aimed squarely at breaking these exploit chains.

  • Reboot regularly. Unglamorous, but real: many implants — DarkSword included — do not survive a restart. A daily reboot costs nothing and evicts non-persistent infections. It won’t stop a determined operator re-infecting you, but it raises their cost.

  • Harden the device itself. A GrapheneOS hardened handset strips out swathes of the attack surface a stock phone leaves exposed, hardens memory against precisely the corruption tricks zero-clicks depend on, and can reboot itself automatically. These devices are built for exactly this threat.

  • Take threat notifications seriously. Apple and Google notify people they believe have been targeted by mercenary spyware. If one arrives, it is not marketing — treat the device as compromised and get expert help.

For businesses, the message is simpler still: the phones of your key people are corporate infrastructure and deserve the treatment our mobile device security guide lays out. High-risk roles — executives, finance, legal, anyone near sensitive IP — warrant hardened devices and encrypted communications rather than a stock handset, and a virtual CISO can map who in your organisation is realistically worth an exploit.

A final word

Zero-click attacks are unnerving because they remove the victim from the equation — all the caution in the world cannot protect you from a message you never saw. But the equation has other terms. You cannot be more careful than “never touched it,” so stop trying to win on carefulness: shrink what your phone silently processes, patch the same day, restart often, and put the people most likely to be targeted on hardware designed to be a hard target. The phone did nothing wrong. That doesn’t mean nothing can be done.

If you’d like help working out who in your business is exposed to this class of attack — and putting hardened handsets, secure communications and sensible mobile policy in place — our team does exactly that. Explore our cyber security consulting, or get in touch at enquiries@xiphcyber.com.


Posted in: Security