Cybersecurity

What Is a Zero-Day Exploit and Why Your Phone Is at Risk

Smartphone screen showing a security warning representing a zero-day exploit phone threat

Fact-checked by the SnapMessages editorial team

Quick Answer

A zero-day exploit phone attack targets an unknown software vulnerability before any patch exists., over 70 zero-day vulnerabilities have been actively exploited in the wild this year alone, with mobile operating systems accounting for a growing share. Both iOS and Android users are at risk with zero detection time available.

A zero-day exploit phone attack occurs when hackers weaponize a software flaw that the device manufacturer does not yet know about, meaning no fix exists when the attack begins. According to CISA’s Known Exploited Vulnerabilities Catalog, mobile platforms have appeared with increasing frequency in recent years, targeting both Apple iOS and Google Android systems.

Smartphones carry banking credentials, private messages, and location data, making them far more valuable targets than desktop computers for nation-state actors and criminal groups alike. That shift in attacker focus is reflected in market pricing, government policy, and the documented record of real-world compromises.

Key Takeaways

  • Over 70 zero-day vulnerabilities were actively exploited in the wild in the first half of 2025 alone, per CISA’s KEV Catalog.
  • Google Project Zero recorded 97 zero-days exploited in 2023, the highest single-year count ever documented at the time, with mobile platforms as a significant and growing category. (Google Project Zero)
  • NSO Group’s Pegasus spyware confirmed zero-click iOS exploitation across at least 45 countries, targeting journalists, activists, and politicians. (Amnesty International)
  • Firms like Zerodium pay up to $2.5 million for a full iOS zero-day chain, reflecting demand from intelligence agencies and other high-budget buyers. (Zerodium)
  • Apple’s Lockdown Mode (available since iOS 16) blocks many zero-click attack vectors, but it disables legitimate features and is not practical for most everyday users. (Apple Support)
  • Commercial surveillance vendors including NSO Group, Intellexa, and Candiru have been sanctioned by the U.S. Department of Commerce under export control rules for supplying finished exploit tools to government clients worldwide.

What Exactly Is a Zero-Day Exploit?

The term covers three related but distinct concepts: the vulnerability (the flaw in the code), the exploit (the attack code written to abuse it), and the active attack (the real-world use against a target). All three must come together for a zero-day incident to occur.

Security researchers distinguish between “zero-day vulnerabilities” and “n-day vulnerabilities.” Once a patch is released, the window becomes an n-day exploit, still dangerous, but defensible because a fix exists. Zero-days are uniquely serious because even a fully updated device can be compromised. There is no patch to install because the vendor does not yet know the flaw exists.

How Zero-Days Are Discovered and Sold

Independent researchers, government agencies, and criminal hackers all discover zero-day flaws. A thriving commercial market has grown around them. Firms like Zerodium publicly advertise prices of up to $2.5 million for a full iOS zero-day chain, reflecting how valuable these vulnerabilities are to buyers ranging from intelligence agencies to organized crime.

That pricing also reveals a meaningful asymmetry: the people selling exploits are often better resourced than the teams writing the software being attacked.

The commercial market for mobile zero-days can reach $2.5 million per iOS exploit chain, signaling extremely high demand from sophisticated threat actors. Patches close known gaps, but zero-days exist precisely in the space where no patch has been written yet, leaving even updated phones exposed.

Why Is Your Phone Specifically at Risk?

Phones run a dense stack of software: OS kernel, browser engine, messaging apps, and cellular baseband. Each layer can harbor its own flaws. Phones are also always on, always connected, and rarely rebooted, giving attackers persistent access once inside.

NSO Group’s Pegasus spyware is the most documented case. It used a chain of iOS zero-days to silently compromise iPhones without any user interaction, a technique called a zero-click exploit. Amnesty International’s forensic analysis confirmed Pegasus infections on devices belonging to journalists, activists, and politicians across 45 countries.

iOS vs. Android Attack Surfaces

Both platforms face genuine zero-day risk, but through different attack surfaces. iOS is a closed system with tighter app controls, yet its popularity makes it a premium target. Android’s open ecosystem means more device variants and slower patch rollouts. Google’s Android Security Bulletins document critical-severity vulnerabilities patched each month, but non-Pixel devices from third-party manufacturers often lag weeks or months behind Google’s own schedule.

Messaging apps add another layer of exposure. Apps like WhatsApp, iMessage, and Signal all process untrusted external data: images, audio, video. A flaw in their media-parsing libraries can become a zero-day entry point with no click required from the user. For context on what encrypted messaging does and does not protect against, see our guide on the full scope of mobile exploit threats.

Phones face zero-day risk from multiple simultaneous attack surfaces, OS, browser, and messaging apps. NSO Group’s Pegasus demonstrated zero-click iOS exploitation across at least 45 countries, confirming this is a real-world threat, not theoretical.

Platform Common Attack Vector Average Patch Window
iOS (Apple) WebKit browser engine, iMessage media parsing 14–21 days after discovery
Android (Google Pixel) Linux kernel, media codecs, Bluetooth stack 30 days (monthly bulletin)
Android (OEM) Same as above plus manufacturer firmware 30–90+ days depending on OEM
Messaging Apps Image/video parsing libraries (cross-platform) Varies by vendor; 1–30 days

What Do Real Zero-Day Phone Attacks Look Like?

Real zero-day exploit phone attacks are often invisible to the victim. Unlike phishing, which requires a click, advanced zero-days can compromise a device through a received message or a loaded webpage, with no visible sign anything happened.

In 2021, Apple issued an emergency patch for CVE-2021-30860, a zero-click vulnerability in its CoreGraphics PDF renderer. A malformed PDF sent via iMessage was enough to silently install Pegasus. Google Project Zero, Apple’s own security team, and researchers at the Citizen Lab at the University of Toronto all independently confirmed the exploit’s real-world use against human rights defenders.

The Citizen Lab’s research into CVE-2021-30860, documented in their FORCEDENTRY report, found that the exploit required no interaction from the target whatsoever. The victim received a message; Pegasus installed itself. That finding reshaped how security teams and platform vendors think about the threat model for mobile devices.

Google Project Zero’s annual tracking data showed that 2023 saw 97 zero-days exploited in the wild, the highest count recorded in a single year, with mobile platforms representing a significant and growing category. That trend has continued into 2025.

Google Project Zero documented 97 zero-days exploited in 2023, the highest annual count ever recorded. Zero-click phone attacks like Pegasus require no user interaction at all, which makes traditional advice, “don’t click suspicious links”, insufficient on its own.

How Can You Protect Your Phone From Zero-Day Exploits?

No single action eliminates zero-day risk. The most effective approach focuses on shrinking the attack surface and responding quickly when patches drop.

  • Update immediately: When Apple or Google release security patches, install them within 24 hours. Every day of delay is a day of known exposure.
  • Enable Lockdown Mode (iOS): Apple’s Lockdown Mode, introduced in iOS 16, blocks many of the features zero-click exploits abuse, including complex message attachments and certain web technologies. It is designed specifically for high-risk users.
  • Limit messaging app permissions: Restrict camera and microphone access to only the apps that genuinely need them. This limits what an attacker can reach even if they breach a single app.
  • Use a hardened browser: Avoid opening links sent via SMS or messaging apps directly. Open them in a browser with strong sandboxing instead.
  • Reboot regularly: Some in-memory zero-day payloads (including early Pegasus versions) do not survive a device restart. Weekly reboots are a simple, low-effort mitigation.

One honest limitation here: Lockdown Mode does disable real functionality. FaceTime calls from unknown contacts are blocked, certain web fonts do not render, and shared photo albums are unavailable. For journalists and activists, that tradeoff is clearly worth it. For most people using their phones for ordinary tasks, the feature restrictions will feel burdensome and the risk calculus looks different. Ordinary users are rarely the primary targets of nation-state zero-day deployments, the documented cases overwhelmingly involve high-profile individuals in politically sensitive roles.

If you believe your device is already compromised, our guide on mobile exploit threats and what to do about them covers the broader detection context.

Apple’s Lockdown Mode, available since iOS 16, blocks many zero-click attack vectors by disabling risky features. Combined with same-day patching, it is the strongest practical defense against a zero-day exploit phone attack available to high-risk iPhone users, though it comes with real usability tradeoffs that make it a poor fit for general audiences.

Are Zero-Day Phone Threats Getting Worse?

Yes. The volume, sophistication, and commercial availability of zero-day phone exploits are all increasing. As phones replace laptops for banking, work, and communication, the value of compromising them rises accordingly.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) now mandates that all federal agencies patch known exploited vulnerabilities within defined deadlines, a policy that reflects how operationally serious mobile zero-days have become. The CISA KEV catalog lists dozens of mobile CVEs that have been actively exploited in real attacks.

The rise of commercial surveillance vendors (CSVs) has professionalized the zero-day market. This category includes NSO Group, Intellexa, and Candiru, firms that sell finished exploit tools to government clients. Leakage of those tools into criminal networks is a documented risk. The U.S. Department of Commerce has sanctioned several of these companies under export control rules, acknowledging the systemic threat they pose to civil society globally.

What makes this structural shift particularly difficult to reverse is that the incentive model runs the wrong direction. Governments are often both the buyers of exploit tools and the regulators tasked with limiting their spread.

CISA’s active KEV catalog lists hundreds of mobile CVEs exploited in real attacks, and commercial spyware vendors have made zero-day phone exploits available to dozens of governments. CISA’s public catalog is the most authoritative resource for tracking active mobile threats.

Frequently Asked Questions

Can a zero-day exploit infect my phone without me clicking anything?

Yes. Zero-click exploits require no user interaction at all. Attackers can compromise a device by sending a specially crafted message, even one that never displays visibly, exploiting flaws in how the OS or app processes incoming data. The Citizen Lab’s FORCEDENTRY research confirmed this in documented real-world cases.

Does keeping my phone updated protect me from zero-day exploits?

Updates protect against known vulnerabilities, not true zero-days. Prompt patching is still your most effective defense because it closes the window between discovery and active exploitation. Most real-world phone compromises exploit unpatched known flaws, not fresh zero-days, so staying current matters even when it cannot guarantee full protection.

What is the difference between a zero-day exploit and spyware?

A zero-day exploit is the delivery mechanism, the technique used to break in. Spyware is the payload installed after entry. Pegasus, for example, uses zero-day exploits to install spyware that then monitors calls, messages, and location data. The exploit gets the door open; the spyware does the actual surveillance.

Is iPhone or Android safer from zero-day exploit phone attacks?

Neither platform is immune, and the honest answer is that it depends on which Android device you own. iOS tends to receive faster, more uniform patches due to Apple’s closed ecosystem. Android’s fragmented update chain, especially on non-Pixel devices from manufacturers like Samsung or Xiaomi, often means longer exposure windows after a vulnerability is disclosed. Both platforms are targeted by well-funded threat actors, and both have been confirmed victims in documented attack campaigns.

What is Lockdown Mode and should I use it?

Lockdown Mode is an optional Apple security feature that disables many functions commonly exploited in zero-click attacks, including complex message attachments and certain JavaScript behaviors. It is recommended for journalists, activists, and executives who believe they may be targeted. For most users, the feature restrictions, blocked FaceTime calls from unknown contacts, limited web rendering, no shared photo albums, are not worth the tradeoff. Keeping updates current is sufficient for ordinary threat models.

Can a VPN stop a zero-day exploit on my phone?

No. A VPN encrypts your network traffic but cannot prevent exploitation of OS or app-level vulnerabilities. Zero-day phone attacks target code execution flaws, not network interception, so a VPN provides no meaningful protection against this specific threat.

Who is most at risk from zero-day phone exploits?

Documented targets skew heavily toward high-value individuals: journalists, human rights defenders, lawyers, political figures, and corporate executives. Nation-state actors and commercial surveillance vendors generally focus their most expensive tools on targets where the intelligence value justifies the cost. That said, criminal groups and opportunistic actors use lower-grade exploits against broader populations, particularly through phishing infrastructure and compromised Wi-Fi networks.

How do I know if my phone has been compromised by a zero-day?

In most cases, you will not notice anything. Zero-day exploits used by sophisticated actors are designed to leave minimal traces. Indicators like unexplained battery drain, unusual data usage, or unexpected device heat can sometimes suggest background activity, but these are unreliable signals. The Citizen Lab and Amnesty International’s Mobile Verification Toolkit (MVT) is the most rigorous forensic method currently available for detecting known spyware artifacts on iOS and Android.

What is the CISA KEV catalog and why does it matter for phone users?

The CISA Known Exploited Vulnerabilities Catalog is a publicly maintained list of CVEs that have been confirmed as actively exploited in real attacks. Federal agencies are legally required to patch listed vulnerabilities within CISA’s deadlines. For phone users, the catalog is a practical signal: if a mobile CVE appears there, it has been used against real targets and patching it is urgent, not optional.

Are messaging apps like Signal safer than iMessage against zero-day attacks?

Signal’s open-source codebase and minimal data retention reduce some attack surface compared to iMessage’s tighter integration with Apple’s OS. However, Signal still processes external media and is not immune to media-parsing vulnerabilities. No messaging app eliminates zero-day risk entirely. The more important variable is whether the app vendor responds quickly to reported flaws, and whether the underlying OS has been patched to remove the exploit vectors those apps depend on.

PN

Priya Nambiar

Staff Writer

Priya Nambiar is a certified financial counselor with over a decade of experience helping individuals navigate debt reduction and credit rebuilding strategies. She has contributed to several personal finance publications and hosts workshops focused on empowering first-generation Americans toward financial independence. Her approachable style makes complex credit topics accessible to everyday readers.