Mercenary Spyware: Zero-Click Exploits and the Lack of Effective Defenses

In a recent interview with CBC Ideas, Ron Deibert, founder of the Citizen Lab, warned that mercenary spyware has reached a point where it can infect any device globally with no reliable defense available. His comments, tied to the release of his book Chasing Shadows, highlight the growing threat posed by tools like Pegasus, which exploit zero-click vulnerabilities to silently compromise devices¹. This article examines the technical mechanisms behind these attacks, their real-world impact, and potential countermeasures for security professionals.

Zero-Click Exploits and Their Global Reach

Modern spyware, such as Pegasus developed by NSO Group, leverages zero-click attacks that require no user interaction. These exploits often target messaging apps like WhatsApp, where a missed call or invisible message payload can trigger a chain of vulnerabilities to gain full device control². According to Deibert, these attacks are now “implanted on anyone’s device anywhere in the world,” with forensic evidence linking them to governments and private entities targeting journalists, activists, and political figures¹.

Amnesty International’s research corroborates this, documenting cases like Azerbaijani journalist Khadija Ismayilova, whose iPhone was repeatedly compromised by Pegasus, leading to the theft of private messages and photos³. The 2021 Pegasus Project leak revealed over 50,000 targets, including the family of murdered journalist Jamal Khashoggi⁴.

Forensic Detection and the Cat-and-Mouse Game

While tools like the Mobile Verification Toolkit (MVT) can identify spyware traces, developers continuously adapt their techniques to evade detection. Donncha Ó Cearbhaill of Amnesty’s Security Lab noted the challenges: “While it can be tiring to go through 50 phones to find nothing, uncovering an attack makes it worth it”⁵. MVT analyzes device backups for suspicious processes, network connections, and injected payloads, but its effectiveness depends on timely updates to match evolving spyware tactics.

Tech companies have responded with patches—Apple released emergency fixes for iOS zero-days in 2023, and Google addressed exploits affecting over a billion Android devices⁶. However, these measures are reactive, often arriving after exploits are already in use.

Mitigation Strategies for High-Risk Targets

For individuals and organizations at risk, several defensive measures can reduce exposure:

Lockdown Mode (iOS): Enabled in Settings > Privacy & Security, this feature blocks sophisticated spyware by restricting certain functionalities⁷.
Signal for Messaging: Its disappearing messages feature limits data retention.
Regular Forensic Audits: Tools like MVT should be run periodically on device backups.

Access Now’s Helpline and Amnesty’s Security Lab provide direct support for confirmed or suspected infections⁸.

Conclusion

The proliferation of mercenary spyware underscores a critical gap in device security. As Deibert emphasizes, current defenses are outpaced by the sophistication of these tools. Proactive measures—such as stricter export controls on spyware vendors and faster patch cycles—are needed alongside technical countermeasures. For now, vigilance and layered protections remain the best available options.