Your Phone Got Hacked and You Did Nothing Wrong

What "zero-click" means

A zero-click exploit compromises your device without you tapping a link, opening a file, or doing anything at all. The attacker sends a specially crafted message, image, or data packet to your device, and the operating system or an app processes it automatically. The exploit runs in the background. No notification, no visible sign, no interaction required.

This is different from phishing, where you have to click a link. It is different from malware, where you have to install something. Zero-click exploits target the code that runs before you ever see the message. The parser that processes the image. The protocol handler that decodes the packet. The preview renderer that generates the thumbnail.

FORCEDENTRY: a computer inside an image

The most technically remarkable zero-click exploit ever discovered was FORCEDENTRY, used by NSO Group's Pegasus spyware and publicly documented by Google Project Zero and Citizen Lab in 2021.

FORCEDENTRY targeted Apple's iMessage by exploiting the PDF parser embedded in the image rendering pipeline. Here is what makes it extraordinary: the exploit constructed a virtual computer inside the image parser.

Apple's CoreGraphics framework supports JBIG2, a compression standard for black-and-white images. JBIG2 includes a feature that lets you combine image segments using logical operations (AND, OR, XOR, XNOR). The exploit used these logical operations as computational primitives.

The attack worked like this:

1. The attacker sends an iMessage containing a specially crafted PDF file disguised as a GIF
2. iMessage automatically processes the attachment to generate a preview
3. The PDF contains over 70,000 JBIG2 segment commands that, when processed by the parser, perform arbitrary computation
4. These segment commands implement a small virtual CPU architecture with registers, memory, and an instruction set
5. The virtual CPU runs a program that exploits a separate vulnerability to escape the parser sandbox
6. The exploit gains code execution on the device and installs Pegasus spyware

The researchers at Google Project Zero called it "one of the most technically sophisticated exploits we've ever seen." The attackers built a working computer out of an image compression format's logical operations. No JavaScript, no shell code in the traditional sense. Just thousands of image decompression commands arranged to perform computation.

BLASTPASS: PassKit as an attack vector

In September 2023, Citizen Lab discovered BLASTPASS, another zero-click exploit targeting iMessage. This one exploited Apple's PassKit framework, which handles Apple Wallet passes (boarding passes, tickets, loyalty cards).

The attacker sent an iMessage containing a malicious PassKit attachment. The PassKit processing code had a vulnerability in how it handled image data within the pass file. When iMessage automatically processed the attachment, the vulnerability was triggered, giving the attacker code execution. Like FORCEDENTRY, no user interaction was required.

Apple patched BLASTPASS in iOS 16.6.1 and credited Citizen Lab for the discovery.

WhatsApp zero-click 2025

In early 2025, WhatsApp disclosed a zero-click vulnerability (CVE-2025-30401) that was being actively exploited in the wild. The attack targeted the media processing pipeline. A specially crafted video or image sent through WhatsApp would trigger a memory corruption vulnerability in the media decoder before the user opened the message.

WhatsApp confirmed that the exploit was being used to deploy spyware and was linked to Paragon Solutions, an Israeli surveillance company. The targets included journalists and civil society members across multiple countries.

DarkSword: targeting iOS 18

In late 2025 and early 2026, security researchers identified a zero-click exploit chain dubbed DarkSword targeting iOS versions 18.4 through 18.7. The exploit targeted the notification processing pipeline, exploiting a vulnerability in how iOS handled rich notifications from certain messaging protocols.

Details remain limited because the exploit was discovered through forensic analysis of targeted devices, and Apple patched the underlying vulnerabilities in iOS 18.7.1 without extensive public documentation. The exploit was attributed to a state-sponsored group, though the specific actor has not been publicly named.

Apple Lockdown Mode: zero compromises in four years

Apple introduced Lockdown Mode in iOS 16 (September 2022) as an extreme security option for users at high risk of targeted surveillance. Lockdown Mode disables attack surface:

• iMessage blocks most attachment types; link previews are disabled
• Web browsing disables JIT JavaScript compilation and other complex web features
• FaceTime blocks incoming calls from unknown numbers
• Shared Albums are removed from Photos
• Wired connections to computers/accessories are blocked when the device is locked
• Configuration profiles cannot be installed

Since its introduction, no zero-click exploit has successfully compromised a device running Lockdown Mode. Citizen Lab confirmed this in 2024 after analyzing devices belonging to targeted journalists and activists. Devices with Lockdown Mode enabled showed evidence of attempted exploitation (the attack was delivered) but no evidence of successful compromise.

Four years without a single known bypass is a remarkable track record, especially against the caliber of attackers (NSO Group, state-sponsored groups) who target these devices.

Who gets targeted

Zero-click exploits are expensive. A working iOS zero-click chain sells for $1.5 to $2 million on the exploit broker market (Zerodium, Crowdfense). These are not used against random individuals. The confirmed target categories include:

• Journalists investigating government corruption, organized crime, and intelligence agencies
• Human rights activists and NGO workers in authoritarian countries
• Politicians and government officials, including heads of state and their staff
• Lawyers representing high-profile defendants or involved in politically sensitive cases
• Diplomats and intelligence officers

If you are not in one of these categories, you are almost certainly not the target of a zero-click exploit. The cost and operational risk of deploying these tools means they are reserved for high-value intelligence targets.

How to check if you are compromised

Apple provides a built-in indicator. Starting with iOS 16, devices that detect exploitation attempts generate a notification:

Settings > Privacy & Security > Lockdown Mode

Additionally, tools exist for forensic analysis:

• iVerify (free for basic scans): scans your device for known indicators of compromise associated with Pegasus and similar spyware
• Amnesty International's Mobile Verification Toolkit (MVT): an open-source forensic tool that analyzes iOS backup files for traces of known spyware. Requires a computer and a backup of your device.

If you are in a high-risk category:

1. Enable Lockdown Mode immediately. The usability tradeoffs are real but manageable.
2. Keep iOS updated. Most zero-click exploits target specific iOS versions and are patched within days of discovery.
3. Use a separate device for sensitive communications if possible.
4. Reboot your phone daily. Many exploits achieve only "non-persistent" compromise that does not survive a reboot.
5. Be aware that zero-click means you cannot prevent the initial attack. Your defense is reducing attack surface (Lockdown Mode) and rapid updates.