Most people think of hacking as something that begins with a mistake. A bad link clicked in an email. A shady attachment opened. A fake login page that steals a password. But some of the most dangerous attacks do not begin with a mistake at all. They begin with nothing more than your device receiving data it was designed to handle. That is the essence of a zero-click exploit: an attack that can compromise a phone or computer without the victim tapping, opening, approving, or installing anything. (CISA)
A zero-click exploit works by abusing the invisible machinery of modern computing. Phones and PCs constantly process incoming content in the background. They render message previews, decode images, parse PDFs, transcribe audio, inspect attachments, and synchronize cloud content before the user has done a thing. If one of those background processes contains a flaw, an attacker may be able to trigger code execution simply by delivering crafted data to the target. Google Project Zero recently described how automatic processing features on phones can expand this attack surface, because media may be decoded before a message is even opened. (projectzero.google)
That is why zero-click exploits are so feared. They do not depend on ordinary user behavior. Traditional security advice still matters, but “don’t click suspicious links” does not fully protect you from an attack that never asks for a click in the first place. In practice, these exploits are usually expensive, rare, and highly targeted. They are not the tool of the average scammer. They are more often associated with advanced criminal groups, state-backed operators, and the commercial spyware industry. (The Citizen Lab)
What zero-click exploits actually target
On phones, zero-click attacks often aim at the apps and services that automatically ingest outside content: messaging apps, calling services, push notification systems, image libraries, audio decoders, or operating system components tied to messages and attachments. That is one reason mobile devices have become such attractive targets. They are always on, always connected, full of personal data, and built around constant inbound communication. CISA has separately emphasized that mobile devices are rich targets because they hold large amounts of sensitive information and are used continuously for communication and authentication. (CISA)
On PCs, the attack surface looks a little different, but the principle is the same. Email preview panes, document parsers, media handlers, collaboration software, chat clients, and browser engines can all become entry points if they automatically process attacker-controlled content. Desktop zero-clicks are generally less common in the public imagination than mobile zero-clicks, but they are absolutely real. Microsoft Outlook and Windows OLE flaws in recent years were notable because they involved remote code execution with no user interaction required under the right conditions. (NVD)
So while zero-click attacks are often discussed as a “phone problem,” they are really a broader software design problem. Any system that receives untrusted data and processes it automatically can become a candidate for this class of exploit. Phones simply present a particularly rich and constant stream of incoming data. (projectzero.google)
Graphite and Paragon
One of the clearest recent examples is Graphite, a spyware product sold by the company Paragon Solutions. Citizen Lab’s 2025 reporting described Graphite as mercenary spyware tied to highly targeted operations, and found forensic evidence connecting Paragon-linked activity to cases involving journalists and civil society targets. Citizen Lab also reported that WhatsApp discovered and mitigated an active Paragon zero-click exploit and notified more than 90 individuals it believed were targeted. (The Citizen Lab)
The significance of Graphite is not just that it existed, but what it illustrates about the modern surveillance market. This was not a hobbyist tool. It was part of the commercial spyware ecosystem, where companies develop advanced intrusion capabilities and sell them to government customers. Citizen Lab reported that Paragon marketed Graphite as a government-only product, and public reporting has described the company as claiming it sells only to states that respect democratic norms and fundamental rights. Even so, Citizen Lab’s investigations found cases that raised serious questions about abuse, including targeting of journalists and civil society actors. (The Citizen Lab)
There is an important technical point here as well. Graphite appears to have been designed not merely as generic malware, but as precision spyware focused on communications access. Citizen Lab reported that it could target messaging applications rather than necessarily taking over every aspect of the phone in the same way older full-device spyware platforms often aimed to do. That reflects a wider trend in surveillance operations: if you can silently reach the messages, calls, attachments, and metadata, you may not need noisy full-device compromise to get intelligence value. (The Citizen Lab)
In June 2025, Citizen Lab published what it described as the first forensic confirmation of Paragon’s iOS spyware in cases involving journalists, adding to earlier Android-linked findings and strengthening the case that these were not theoretical threats or mere targeting attempts. They also noted the continuing difficulty of proving infection in every case, because modern spyware often deletes traces of itself and mobile forensics can be inherently limited. (The Citizen Lab)
Who uses zero-click exploits
The blunt answer is that ordinary cybercriminals usually do not. At least not the most sophisticated ones. True zero-click exploits are hard to discover, hard to weaponize, and expensive to maintain. They often involve exploit chains rather than a single bug, crossing multiple security boundaries to move from message parsing or media decoding into meaningful code execution and persistence. Apple itself has highlighted that mercenary spyware attacks typically chain many vulnerabilities together across different security boundaries. (Apple Security Research)
That cost and complexity make zero-clicks especially attractive to governments, intelligence services, law enforcement units, and contractors operating on their behalf. Google’s Threat Analysis Group has said it tracks dozens of vendors that sell exploit or surveillance capabilities to government-backed actors, and noted that a large share of the zero-days it discovered in 2021 were tied to commercial spyware providers. (blog.google)
This does not mean only spies and journalists need to care. Most people are not likely targets of Graphite or similar products. But the techniques pioneered in elite targeting often spread downward over time. A vulnerability first exploited in a political surveillance context can later be reused by other actors once details leak, patches lag, or related techniques become better understood. The same security weaknesses that enable targeted espionage can eventually endanger businesses, activists, executives, administrators, and ordinary users who happen to sit in the wrong place in a threat actor’s path. (CISA)
Phones: why they are especially vulnerable
Modern phones are extraordinarily exposed devices. They receive texts, app messages, call invites, images, documents, voice notes, video clips, push notifications, calendar invitations, wallet passes, and web content all day long. To make this feel seamless, the device preprocesses a lot of it before the user looks at it. That convenience is exactly what attackers try to weaponize. (projectzero.google)
Recent public reporting around Paragon underscores how messaging platforms can become delivery vehicles. Citizen Lab reported that WhatsApp discovered and mitigated a Paragon zero-click exploit, while its forensic work found signs that spyware had been loaded into WhatsApp and, in some cases, other apps on affected Android devices. It also described an iPhone case where Apple later confirmed the attack had been patched in iOS 18. (The Citizen Lab)
Apple’s Lockdown Mode exists largely because of threats like these. Apple says the feature reduces the attack surface that could be exploited by highly targeted mercenary spyware by strictly limiting certain apps, websites, and features. It is not intended for everyone, but for people at elevated risk it is one of the clearest examples of a platform vendor redesigning usability in favor of survivability. (Apple Support)
Android has taken a somewhat different path, emphasizing app vetting, security updates, and protective layers such as Google Play Protect. Google also ties high-risk account defense to its Advanced Protection efforts, though those account controls do not magically stop every device-side exploit. They do, however, help reduce the overall attack surface around account takeover and malicious app delivery. (Google Help)
PCs: a quieter but still serious risk
On computers, zero-click exploits often hide inside the software people trust to “just show” content. Outlook is a useful example because users often assume previewing an email is safer than opening an attachment or clicking a link. In reality, preview features can become part of the attack chain if the client or underlying Windows components mishandle crafted input. NVD lists both CVE-2024-21413 for Microsoft Outlook and CVE-2025-21298 for Windows OLE with UI:N in their scoring vectors, meaning no user interaction is required for exploitation. CISA also added CVE-2024-21413 to its Known Exploited Vulnerabilities catalog, underscoring that this was not merely academic. (NVD)
The broader lesson is that desktops and laptops are not immune simply because they are “real computers” rather than phones. If anything, they often carry a sprawling legacy attack surface: Outlook, Office documents, rich text rendering, browser components, collaboration tools, media libraries, and third-party plugins. A well-defended PC environment can still be exposed if patching is slow, older software remains installed, or email and document workflows are granted too much trust. (NVD)
How to protect yourself
No defense is perfect against a true zero-click exploit, especially a fresh zero-day used by a capable operator. But protection is not hopeless. The goal is to reduce attack surface, shrink the useful lifetime of vulnerabilities, and make exploitation harder, noisier, and less reliable.
The first and most important protection is aggressive patching. Zero-click campaigns depend on unpatched flaws or exploit chains that still work in the wild. When vendors fix them, the attacker’s window narrows. That means keeping phones, apps, browsers, messaging platforms, email clients, and PCs fully updated. In the Paragon-related reporting, Citizen Lab specifically noted that Apple confirmed one investigated iPhone attack had been patched in iOS 18. (The Citizen Lab)
Second, reduce automatic processing where practical. On Apple devices, Lockdown Mode is the most direct example for high-risk users, because it intentionally limits features that can expand the attack surface. On PCs, reducing or disabling unnecessary preview behavior, avoiding risky file types, and limiting automatic rendering in email and collaboration environments can help contain damage. These measures are not glamorous, but zero-click defense is often about removing convenience features attackers depend on. (Apple Support)
Third, keep your app ecosystem tight. On Android, Play Protect is one of the platform’s core safeguards against harmful apps, especially outside the Play Store. On any device, every extra app adds code, permissions, update dependencies, and parser behavior. Minimalism is a security control. The fewer apps that automatically ingest outside content, the fewer places a zero-click chain can hide. (Google Help)
Fourth, take platform warnings seriously. Apple threat notifications, Meta or WhatsApp alerts, Google warnings, and related notices are not things to dismiss as spam if they come through official channels. Citizen Lab explicitly advises journalists, human rights defenders, and others who receive spyware warnings from Apple, Meta, WhatsApp, or Google to treat them seriously and seek expert help. (The Citizen Lab)
Fifth, separate normal-user advice from high-risk-user advice. For most people, staying current on updates, avoiding sideloaded apps, using reputable devices, and maintaining good account security are the right baseline. For journalists, activists, executives, dissidents, lawyers, and people handling sensitive data, the bar should be higher: hardened devices, limited app sets, encrypted communications, expert incident support, and in Apple’s ecosystem, serious consideration of Lockdown Mode. CISA’s recent mobile security guidance also emphasizes stronger communications hygiene and more secure authentication practices for high-risk environments. (CISA)
Finally, organizations need to stop treating phones as “small computers” and start treating them as mission-critical endpoints. Mobile device management, fast patch deployment, user segmentation, incident response plans for mobile compromise, and clear escalation channels for spyware notifications should all be normal parts of security operations now. The commercial spyware market has made that unavoidable. (CISA)
The uncomfortable truth
Zero-click exploits reveal something unsettling about modern technology. The very features that make devices feel intelligent and effortless also make them porous. The machine is always interpreting, always rendering, always anticipating our next move. Attackers do not need to convince us to act when our devices are already acting on our behalf.
Graphite and the Paragon case brought this into focus again. They showed that zero-click exploitation is not a sci-fi concept, not a rumor, and not limited to one notorious spyware vendor from years past. It is part of a living marketplace of intrusion technology aimed at the most intimate device most people own: the phone in their pocket. And while PCs may get less attention in this conversation, they too remain exposed wherever software automatically processes hostile content. (The Citizen Lab)
The practical takeaway is not paranoia. It is realism. Most people will never be hit by a premium zero-click spyware chain. But everyone lives downstream from the same software ecosystems, the same coding mistakes, and the same race between convenience and security. In that world, patching quickly, limiting unnecessary features, heeding threat warnings, and hardening high-risk devices are not optional extras. They are the closest thing we have to a seatbelt against an attack that may never announce its arrival. (Apple Support)
