iVerify discovers evidence of zero-click campaign targeting iPhone users

The US-based cybersecurity company iVerify has, by its own account, discovered the first concrete evidence of a so-called zero-click surveillance campaign targeting iPhone users in the United States and Europe. The attacks are said to have occurred without any interaction from the affected users and exploited security vulnerabilities in iOS versions up to and including 17.1.1.

A zero-click attack is a cyberattack in which a device is infected or compromised without any action or interaction from the user – that is, without clicking or opening a link.

As iVerify states in a recent blog post, at least six iPhones were compromised. The affected devices belonged to individuals connected to a US political campaign, a company in the field of artificial intelligence, and to government and media organizations in the USA and Europe. The attack exploited a vulnerability in the so-called nickname notification function of Apple’s operating system. It was possible to send iMessage messages that executed malicious code without the user having to open them.

The “nickname” function on the iPhone is part of Apple iMessage and allows users to display a nickname instead of their real name in group chats. This feature primarily helps identify people in chats more easily, especially when contacts are not saved in the address book or when multiple participants share the same name.

In the case of the attack discovered by iVerify, a vulnerability in this function was exploited: iOS processes nickname-related data automatically in the background – a weakness that attackers could use for so-called zero-click attacks. It was sufficient to send a manipulated iMessage in order to execute malicious code – entirely without the user’s involvement.

Similarities to previous state-sponsored espionage campaigns

According to iVerify, the discovered attacks show similarities to earlier state-backed espionage campaigns. There are indications that the current campaign should be viewed in a geopolitical context. However, a direct attribution to a specific actor is currently not possible. Apple stated, upon request, that the relevant vulnerability has since been patched. The company currently has no evidence that the security hole was actively exploited.

Our findings suggest it doesn’t matter what channel is being used to communicate if the device itself is compromised; attackers  have access to all conversations, regardless of whether those happen over Signal, Gmail, or any secure application. — iVerify

iVerify has shared the incidents with several technology companies, EU governments, and US authorities. The security researchers advise all iPhone users to update their devices to the latest iOS version and to activate the so-called “Lockdown Mode.” This protective feature, available in iOS since version 16, is designed to protect high-risk individuals such as journalists, activists, and policymakers from targeted attacks.

The discovery is considered one of the first documented cases of zero-click espionage on mobile devices in Western democracies and underscores the growing threat posed by state-sponsored cyberattacks on critical societal actors.