You can avoid suspicious links, lock your phone, and keep your apps updated — but what if someone could compromise your device without you doing anything at all? That's the reality of zero-click exploits: silent attacks that compromise your phone simply by sending a malicious message or data packet. No tap required. No warning given.
Researchers at Citizen Lab documented one of the most significant examples when they discovered the FORCEDENTRY exploit — a zero-click vulnerability in iMessage used to deploy NSO Group's Pegasus spyware. The exploit worked by abusing Apple's image rendering library, infecting iPhones without any interaction from the target. Once installed, Pegasus could access messages, contacts, location data, microphone, and camera.
When Journalists Become Targets
In 2025, Citizen Lab confirmed that Paragon Solutions' Graphite spyware had been used to target dozens of journalists and activists across multiple countries. The victims didn't click anything. Their devices were silently compromised via zero-click iMessage attacks. The spyware accessed encrypted messaging apps, cameras, microphones, and location data — all without leaving obvious traces.
WhatsApp separately notified approximately 90 users that they had been targeted with Graphite spyware through a zero-click exploit in its platform. The targets included journalists and humanitarian workers.
These aren't isolated incidents. They represent a growing commercial market for offensive surveillance tools sold to governments and other actors worldwide.
What Zero-Click Attacks Mean for Encryption
This is the uncomfortable truth about device-level attacks: they defeat encryption entirely. If spyware is reading your messages on your device — before they're encrypted for transmission — it doesn't matter how strong your messaging app's encryption is. The attack happens at a layer below the application.
This doesn't mean encryption is pointless. It means encryption is necessary but not sufficient. Device security and communication security are both required.
Reducing Your Exposure
- Keep your OS and apps updated — most zero-click exploits target known vulnerabilities that patches have already fixed
- Enable Lockdown Mode on iOS — Apple's most restrictive security setting, shown to block some zero-click attacks
- Remove apps you don't use, especially those requesting broad permissions
- Watch for warning signs — unexpected battery drain, device running warm when idle, unusual data usage
- For sensitive communications, use a dedicated device that hasn't been exposed to untrusted networks or software
The layered approach: Device security limits the risk of compromise. Communication security — end-to-end encryption with minimal metadata retention — limits the damage if a compromise does occur. Neither replaces the other.