It’s not uncommon for sophisticated threat actors to target users with exploits that can be triggered without any interaction from the victim.
As an example, Samsung described a scenario where a hacker sends the targeted user a specially crafted image file that automatically exploits a vulnerability — while the phone is locked in the user’s pocket — to give the attacker access to the victim’s messages, picture gallery and bank details.