why is it so hard to reduce zero-click penetration of mobile phones?


I can understand how someone could find a zero-click attack, but aren’t these usually uncovered and patched fairly quickly? But the Pegasus tool has appeared to work consistently for months. Why can’t Apple, Google, Samsung et al figure this out?

In: 2

They did fix it. For iOS, you would need a version earlier than 14.7 for Pegasus to work, and it’s on 16 something right now.

The reason they’re difficult to patch is because you would need to know what vulnerability they’re using, and for the groups designing malware like that, the vulnerabilities are tightly guarded secrets.

It’s not. As a general consumer, if you keep your phone consistently updated, you have very little to worry about. The Pegasus malware toolkit is used by nation-state actors to target individual people. If you’ve gotten to the point where you’re being targeted by nation-state actors, you’ve got much bigger things to worry about than just zero-click malware.

Truthfully, though, there are bad actors around the world consistently working around the clock on spreading malware with as little effort as possible. If you’re able to find a security hole in the latest version of a phone’s operating system, odds are that security flaw will work in previous versions. These security flaws are *not* easy to find, but there’s big money (millions of dollars in some cases) to be made in finding these exploits, especially for bad actors that want to steal money from people.

But, especially on Android, any security flaw can be a really big deal. Companies that make Android phones are responsible for rolling their own updates. Because Android runs on so many devices, each device requires **major** effort to develop an update for. As a result, phones can go on for years without an update even if a security vulnerability is found. Companies that make Android devices, especially budget options, don’t want to spend the money on developing updates for devices, so critical patches just sometimes never get made. This leads to a situation where there are potentially millions of phones running around with a security flaw that will never get patched.