Zero-Click Malware: The Attack That Needs Nothing From You

Your phone receives a message. You don't open it. You don't tap anything. But by the time you notice the notification, your device has already been compromised. That is how zero-click malware works, and it is why the usual advice about not clicking suspicious links only goes so far.

Zero-click malware exploits vulnerabilities in software - the apps and operating systems running on your devices - without needing anyone to do anything wrong. There is no phishing email to fall for, no dodgy attachment to open. The attack triggers automatically, often through something as ordinary as receiving a message or a call. A well-documented example from 2019 involved WhatsApp: attackers could install spyware on a target's phone through a missed call. The victim never even answered. More recent attacks have targeted iPhones through iMessage in the same way - a message arrives, the code executes, and the attacker gains full control of the device.

For a professional services business, this matters because your devices hold things attackers want. Client records, financial data, legally privileged communications, insurance policy details. Once an attacker is inside a device, they can copy files, monitor activity, or deploy ransomware across your network. The NZ Privacy Act 2020 requires you to report certain data breaches to the Office of the Privacy Commissioner - and the reputational damage of telling clients their information was exposed can be lasting. The threat is not theoretical. It is already being used against businesses that assumed their staff were too careful to click on anything suspicious.

Defending against zero-click attacks requires a different mindset than awareness training alone. Because no one clicks anything, there is no human behaviour to correct. Protection has to come from the systems themselves. That means keeping software updated promptly - not eventually, but as soon as patches are available, because many zero-click exploits target known vulnerabilities that have already been fixed. It means having proper endpoint protection across all devices used for work, including mobile phones. It means removing applications that are no longer needed, because every unused app is an unmonitored vulnerability sitting on your network. And it means having someone actively monitoring for unusual activity, because early detection is often the only thing that limits the damage when an attack gets through.

If your business uses a mix of personal and work devices, or has staff accessing client systems remotely, those are the areas most worth examining first. A managed IT arrangement that includes regular patching, endpoint monitoring, and vulnerability assessments will cover most of what is needed. Managed IT support for professional services businesses exists precisely to handle this kind of ongoing security work so you are not trying to stay on top of an evolving threat landscape while also running a practice.

If you want to know where your business currently stands, ITstuffed offers a 15-minute IT Fit Check. Book one here and we can give you a clear picture of your exposure and what to prioritise.