Zimperium, the global pioneer in mobile security, released new research from its zLabs team revealing a sharp rise in mobile threats tied to the holiday shopping season. The Mobile Shopping Report: From Carts to Credentials highlights how cybercriminals are exploiting the seasonal surge in e-commerce and mobile app activity to target both consumers and enterprises.
According to zLabs’ analysis, mishing (mobile phishing) remains the most widespread and effective mobile attack vector.
Smishing messages and fake delivery alerts impersonating trusted retail and logistics brands surged up to 4x during the 2024 holiday shopping period, with attackers using urgency-driven messages like “Your package is delayed, click here” to trick users into revealing credentials or downloading malicious apps.
Expanding malware families
The report also finds that malware families are expanding beyond banks to target shopping and payment apps, using overlays and accessibility permissions to steal credit card data, intercept one-time passwords (OTPs), and compromise digital wallets.
Meanwhile, legitimate retail apps continue to expose users and enterprises through misconfigured SDKs, hardcoded private keys, and vulnerable third-party libraries. These are all weaknesses that can be exploited for data theft or remote code execution.
“These findings confirm what we’ve been tracking throughout the year: attackers are taking full advantage of the mobile commerce boom,” said Kern Smith, SVP of Global Solutions Engineering at Zimperium. “What begins as a fake shipping alert or counterfeit shopping app can quickly evolve into a corporate breach when employees shop or click from work-connected devices.”
Consumer and enterprise risk
The zLabs team also warns that the holiday season now blurs the boundary between consumer and enterprise risk. Employees using BYOD or corporate-enabled devices to shop, track packages, or manage payments introduces new pathways for credential theft and brand impersonation scams.
“As mobile and enterprise ecosystems converge, security teams must treat the holiday season as a critical risk window, not just for consumers, but for the business itself,” said Ignacio Monta, SVP, Strategy & Threat Intelligence at Zimperium.