Rebooting your phone daily is your best defense against zero-click attacks - here's why

Over the past decade, spyware tools have repeatedly been found on the phones of journalists, activists, and politicians. This has raised concerns about the unprecedented proliferation of spyware technology and the lack of protections in the tech sector.

Meta's WhatsApp recently revealed it discovered a hacking campaign targeting about 90 users -- mostly journalists and civil-society members in two dozen countries. According to a WhatsApp spokesperson, the Israeli spyware company Paragon Solutions -- now owned by Florida-based private equity firm AE Industrial Partners -- was behind the attack.

Graphite, Paragon's spyware, infiltrated WhatsApp groups by sending users a malicious PDF attachment. Without their knowledge, it can access and read messages on encrypted apps like WhatsApp and Signal.

What is a zero-click capability?

A zero-click attack, like the one on WhatsApp, requires no user action for a device to be compromised. Unlike phishing or one-click attacks -- which depend on clicking a malicious link or opening an attachment -- zero-click exploits a security vulnerability to quietly gain complete access once the device is infected.

In an interview with ZDNET, Rocky Cole, co-founder of mobile threat protection company iVerify, said, "in the case of graphite, via WhatsApp, some kind of payload, like a PDF or an image, [was sent to the victims' devices] and the underlying processes that receive and handle those packages have vulnerabilities that the attackers exploit [to] infect the phone."

Public reports don't specify "whether graphite can engage in privilege escalation [vulnerability] and operate outside WhatsApp or even move into the iOS kernel itself, we do know from our own detections and other work with customers, that privilege escalation via WhatsApp in order to gain kernel access is indeed possible," Cole said.

iVerify has uncovered instances where "a number of WhatsApp crashes on [mobile] devices [they're] monitoring with iVerify" have appeared to be malicious in nature, leading the iVerify team to believe that the malicious attacks are "potentially more widespread" than just the 90 people reported to have been infected by graphite.

While the WhatsApp attack targeted mainly civil-society members, mobile spyware is an emerging threat to everyone because mobile exploitation is more widespread than many realize, Cole said. Moreover, "the result is an emerging ecosystem around mobile spyware development and an increasing number of VC-backed mobile spyware companies are 'under pressure to become profitable enterprises,'" he said.

This ultimately creates marketing competition for spyware merchants and lowers barriers that would otherwise deter these attacks.

Also: I clicked on four sneaky online scams on purpose - to show you how they work

Earlier this year, WhatsApp won a lawsuit against NSO after a federal judge in California found that NSO was exploiting a security vulnerability in the messaging app to deliver Pegasus. The infamous NSO Group -- known for infecting the phones of journalists, activists, and Palestinian rights organizations -- has used similar zero-click capabilities through its Israeli-made Pegasus spyware, a commercial spyware and phone-hacking tool.

Historically, NSO has avoided selling to US-based clients and was banned by the US Commerce Department under President Joe Biden's administration for allegedly supplying spyware to authoritarian governments. However, shifting political dynamics under the Trump administration raised the possibility that spyware could become more prevalent in the United States, exacerbating mobile exploitation, Cole said.

Cole said the world is totally unprepared to deal with that.

Best practices for protecting your device

Cole advises people to treat their phone like a computer. Just as you apply best practices to protect traditional endpoints such as laptops from exploitation and compromise, you should apply the same standards to phones. This includes rebooting your phone daily because most of these exploits exist in memory only -- they're not files, and rebooting your phone should, in theory, wipe the malware as well, he said.

However, Cole notes that if it's a zero-click capability like Graphite or Pegasus, you can be easily reinfected. That's why he recommends using a mobile security tool to detect targeted attacks. The iVerify mobile-threat scanner for advanced mobile compromise costs just $1 and is easy to use. To learn how to download and test the app yourself, see our guide on how to detect infamous NSO spyware on your phone.  You can also try Lockdown Mode if you're using an Apple device. According to Cole, "lockdown mode has the effect of reducing some functionality of internet-facing applications [which can] in some ways reduce the attack surface to some degree."

Ultimately, the only way to truly defend yourself against zero-click capabilities is to fix the underlying vulnerabilities. As Cole emphasized, only Apple, Google and app developers can do that. "So as an end user, it's critically important that when a new security patch is available, you apply it as soon as you possibly can," he said.