Cyber security
Summary is AI-generated, newsdesk-reviewed
  • Zimperium report shows spike in mobile threats during holiday shopping surge.
  • Mishing attacks quadruple as cybercriminals spoof brands to steal credentials.
  • Malware targets payment apps via overlays and compromised SDKs, posing risks to enterprises.
Related Links

Zimperium has disclosed its latest research findings that indicate a significant rise in mobile threats attributable to the holiday shopping season.

Conducted by the zLabs team, the Mobile Shopping Report: From Carts to Credentials emphasises the exploitation of increased e-commerce activity by cybercriminals targeting both consumers and businesses.

This surge in mobile app activity has revealed a range of vulnerabilities.

Prevalence of mobile attacks

According to the zLabs analysis, mobile phishing, or "mishing," remains the most prevalent mobile attack method. During the 2024 holiday shopping period, smishing messages and fake delivery notifications impersonating well-known retail and logistics brands increased up to four times.

Many attackers employed urgent messages such as "Your package is delayed, click here" to deceive users into divulging credentials or installing malicious applications.

Attacks on shopping applications

The report also highlights that malware families have expanded their targets from just banks

The report also highlights that malware families have expanded their targets from just banks to encompass shopping and payment apps.

These sophisticated attacks use overlays and accessibility permissions to obtain credit card information, intercept one-time passwords, and compromise digital wallets.

Legitimate retail apps are not exempt, as they can put users and enterprises at risk due to misconfigured SDKs, embedded private keys, and vulnerable third-party libraries, all providing opportunities for data theft or remote code execution.

Kern Smith, SVP of Global Solutions Engineering at Zimperium, stated, "These findings confirm what we've been tracking throughout the year: attackers are taking full advantage of the mobile commerce boom. What begins as a fake shipping alert or counterfeit shopping app can quickly evolve into a corporate breach when employees shop or click from work-connected devices."

Consumer and enterprise security risks

The report further warns of the blurred lines between consumer and enterprise risk during the holiday season. Employees who use personal or company-provided devices for shopping, tracking packages, or payment management open new risks for credential theft and brand impersonation scams.

Ignacio Monta, SVP of Strategy & Threat Intelligence at Zimperium, remarked, "As mobile and enterprise ecosystems converge, security teams must treat the holiday season as a critical risk window, not just for consumers, but for the business itself."

Understand how converged physical and cybersecurity systems can scale protection.

Show full press release
Related white papers
Aligning physical and cyber defence for total protection

Aligning physical and cyber defence for total protection

Download
Combining security and networking technologies for a unified solution

Combining security and networking technologies for a unified solution

Download
System design considerations to optimize physical access control

System design considerations to optimize physical access control

Download
Related articles
How physical security consultants ensure cybersecurity for end users

How physical security consultants ensure cybersecurity for end users
How managed detection and response enhances cybersecurity management in organisations

How managed detection and response enhances cybersecurity management in organisations
Drawbacks of PenTests and ethical hacking for the security industry

Drawbacks of PenTests and ethical hacking for the security industry