Surge in Zero-Click and Zero-Day Exploits Targeting Mobile Devices
A significant escalation in zero-click and zero-day exploitation techniques was observed throughout 2025, with attackers increasingly targeting mobile platforms such as iOS. Zero-click exploits, which require no user interaction, have become a preferred method for advanced persistent threats, nation-state actors, and commercial surveillance vendors. At least 14 major zero-click vulnerabilities were identified, affecting billions of devices and highlighting the growing attack surface beyond traditional user-driven threats. The average time from vulnerability disclosure to exploitation has dropped dramatically, putting pressure on organizations to accelerate patching cycles and improve detection capabilities.
Recent reports confirm that multiple zero-day vulnerabilities in iOS were actively exploited in targeted spyware campaigns before patches became available. Attackers leveraged flaws in core mobile components, such as browser engines, to execute malicious code and compromise devices with minimal or no user involvement. These incidents underscore the persistent risks posed by mobile spyware and the critical need for rapid patching, enhanced mobile OS visibility, and continuous monitoring for anomalous device behavior as mobile endpoints remain high-value targets for cyber adversaries.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
2025 sees broad escalation of zero-click exploitation across platforms
During 2025, attackers used at least 14 major zero-click vulnerabilities affecting mobile devices, enterprise infrastructure, web frameworks, and AI agents. Reported activity included spyware targeting Apple and Samsung devices, exploitation of Microsoft Copilot and OpenAI ChatGPT, and abuse of commercial surveillance tooling such as Paragon Solutions' Graphite.
Targeted spyware campaigns exploit multiple iOS zero-days before patches
Multiple zero-day vulnerabilities in iOS were exploited in targeted spyware campaigns before Apple released official fixes. The attacks used malicious web content, often with little or no user interaction, to execute code and compromise devices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android Zero-Day Exploited by LANDFALL Spyware Campaign
A sophisticated Android spyware campaign, identified as "LANDFALL," exploited a zero-day remote code execution vulnerability in a widely used image-processing library on major Android devices. Attackers delivered the spyware through malicious DNG image files, often sent via messaging apps, enabling a zero-click exploit chain that bypassed traditional antivirus defenses. Once installed, the spyware gained extensive access to device resources, including the microphone, location data, call logs, photos, and contacts, highlighting the increasing risk posed by advanced mobile threats targeting both personal and business data on smartphones. Security researchers emphasize the critical need for organizations to prioritize timely patching of mobile endpoints, monitor for anomalous device behavior, and enforce robust mobile security policies, especially in BYOD and hybrid environments. The incident demonstrates how mobile devices have become primary targets for high-stakes espionage and underscores the importance of continuous threat monitoring and improved user security hygiene to mitigate the risk of compromise from sophisticated, zero-day-driven attacks.
Mar 21, 2026
Google GTIG Report Finds 90 Zero-Day Vulnerabilities Exploited in 2025, With Growing Commercial Spyware Activity
Google Threat Intelligence Group (GTIG) reported tracking **90 zero-day vulnerabilities exploited in the wild during 2025**, up from 78 in 2024 (and below the 2023 peak of 100). GTIG said it could directly attribute exploitation for 42 of the 90, including **18** assessed as definitively or likely used by **commercial surveillance vendors (CSVs)**, while **state-sponsored espionage groups** (including PRC-, Russia-, and UAE-linked activity) continued to exploit zero-days—often prioritizing **edge devices and security appliances** (e.g., routers, firewalls, VPN and other perimeter technologies) to gain organizational access. The report also highlighted vendor and platform targeting patterns, with **Microsoft** products most frequently affected, followed by **Google** and **Apple**, and noted shifts in target categories such as fluctuating mobile-device zero-days and a decline in browser zero-days. Google’s accompanying analysis emphasized that, for the first time in its tracking, **attributed CSV exploitation exceeded traditional state-sponsored cyber-espionage attribution**, reflecting a broader trend of commercial exploit capabilities being productized and used by a wider set of customers. Separate commentary on exploitation timelines argued that the window between disclosure and exploitation has rapidly compressed—citing a “Zero Day Clock” dataset built from thousands of CVE-to-exploit observations and additional findings (e.g., a material share of known-exploited vulnerabilities being weaponized on or before CVE publication)—reinforcing that defenders should assume faster weaponization and reduced patching lead time for high-value targets, especially perimeter and mobile/browser attack surfaces.
Mar 26, 2026
Rising exploitation pressure from zero-days and known exploited vulnerabilities
Security reporting and research highlighted accelerating exploitation pressure on enterprises, driven by both **zero-day** activity and the growing backlog of **known exploited vulnerabilities (KEVs)**. A Talos retrospective counted **48,196 CVEs in 2025** and **241 KEVs** (up from 186 in 2024), with a notable share of KEVs originating from older CVEs and even vulnerabilities dating back to 2007—reinforcing that attackers continue to monetize long-lived weaknesses when patching and asset visibility lag. Talos also noted disproportionate exploitation targeting **network edge infrastructure** (e.g., firewalls/VPNs), underscoring the operational risk of unpatched or hard-to-patch appliances and legacy systems. Separate threat reporting pointed to expanding attack volume and shifting attacker tradecraft that can amplify exploitation impact. Check Point data cited by Dark Reading said **Latin America** is seeing substantially higher weekly attack volume than the US (including higher proportions of **ransomware** and **infostealer** activity), consistent with adversaries concentrating on regions with faster digital adoption and lower security maturity. CSO Online also reported that the *Coruna* **iOS exploit kit** rapidly evolved from a targeted spyware capability into broader criminal use, illustrating how advanced exploitation tooling can commoditize quickly and increase the likelihood of opportunistic compromise across a wider victim set.
Mar 21, 2026