.jpg?lu=468)
21 November 2025
Zimperium has announced new research from its zLabs team revealing a significant increase in mobile cyber threats linked to the holiday shopping period.
The report, titled Mobile Shopping Report: From Carts to Credentials, highlights how cybercriminals are capitalizing on the seasonal rise in e-commerce and mobile app activity to target both consumers and businesses.
According to zLabs’ analysis, mobile phishing — commonly known as mishing — remains the most prevalent and effective attack method. Smishing messages and fake delivery notifications impersonating trusted retail and logistics brands surged up to four times during the 2024 holiday shopping season. These messages often use urgency-driven tactics, such as “Your package is delayed, click here,” to trick users into revealing sensitive credentials or installing malicious applications.
The report further reveals that malware targeting shopping and payment apps is expanding beyond traditional banking malware. Cybercriminals are employing overlays and exploiting accessibility permissions to steal credit card information, intercept one-time passwords (OTPs), and compromise digital wallets. Additionally, legitimate retail apps are vulnerable due to misconfigured SDKs, hardcoded private keys, and insecure third-party libraries, which can be exploited for data theft or remote code execution.
“These findings confirm what we’ve observed throughout the year: attackers are leveraging the mobile commerce boom to their advantage. What starts as a fake shipping alert or a counterfeit shopping app can quickly escalate into a corporate breach if employees shop or click from work-connected devices,” said Kern Smith, SVP of Global Solutions Engineering at Zimperium.
The zLabs team also warns that the boundary between consumer and enterprise risk is blurring during the holiday season. Employees using BYOD (Bring Your Own Device) or corporate-enabled devices to shop, track packages, or manage payments create new avenues for credential theft and brand impersonation scams.
“As mobile and enterprise ecosystems converge, security teams must view the holiday season as a critical risk window — not just for consumers, but for the entire business,” said Ignacio Monta, SVP of Strategy & Threat Intelligence at Zimperium.
