A zero-click exploit is a vulnerability that compromises a device with no user interaction. No link clicked, no attachment opened, no permission granted. The exploit chain delivers itself through normal-looking traffic (an iMessage, a WhatsApp call notification, an Apple Music URL) and runs to completion before the user notices anything has happened. The exploit class behind Pegasus, Predator, Hermit, and most documented mercenary-spyware deployments since 2019.
What it means in practice
The structural difference between zero-click and one-click exploits is the operational ceiling. One-click attacks require social engineering: the target has to be tricked into doing something. Awareness, training, and phishing-resistant tooling all reduce the success rate. Zero-click attacks remove the user from the equation: the target receives a message, the exploit runs, the implant is installed, the message is silently deleted, the only forensic trace is in iOS or Android internals that ordinary users cannot see. The defense is not behavioral (vigilance does not help) but structural: keep the OS up to date (Apple and Google patch the vulnerabilities Citizen Lab and Project Zero report), enable Lockdown Mode (iOS 16+) which disables many exploit vectors at the cost of feature loss, run forensic scans (Amnesty’s MVT toolkit) when targeting is suspected.
Who is targeted, and by whom
Documented zero-click campaigns by NSO Group (Pegasus), Intellexa (Predator), Cytrox, RCS Lab (Hermit), and others. The targeting pattern is consistent: high-profile journalists (NYT, El País, Le Monde, Guardian staff documented as targets), human-rights lawyers, opposition politicians, civil-society leaders, and (in some authoritarian-customer cases) the family members of all of the above. The Pegasus Project (2021, Forbidden Stories consortium) leaked a list of 50,000 selectors across NSO customer states; subsequent on-device forensic confirmation matched a meaningful subset. The buyer base is governments under contracts approved by the Israeli Ministry of Defense (NSO) or equivalent; the deployment decision is at the customer’s discretion within their contractual terms.
What you can change today
If you are in the targeting bracket (high-profile reporting on intelligence services, organized crime, or authoritarian governments; legal representation of dissidents; advocacy work that has drawn government attention), three structural defenses. First, enable Lockdown Mode on iOS (Settings, Privacy and Security, Lockdown Mode) which disables the message-attachment-rendering and complex-web-feature surfaces that most zero-clicks have used; you lose some functionality, you gain a sharply smaller attack surface. Second, keep the OS on the latest stable version always, with auto-update enabled. Third, if you suspect compromise: do not power off (some forensic state is volatile), do not wipe, contact Citizen Lab’s Security Lab (citizenlab.ca) or Amnesty’s Security Lab through a different device for a forensic scan.
