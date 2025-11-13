New research from the Zimperium zLabs team reveals a sharp rise in mobile threats tied to the holiday shopping season.

The report shows that mishing (mobile phishing) remains the most widespread and effective mobile attack vector. Smishing messages and fake delivery alerts impersonating trusted retail and logistics brands surged up to fourfold during the 2024 holiday shopping period, with attackers using urgency-driven messages like ‘Your package is delayed, click here’ to trick users into revealing credentials or downloading malicious apps.

The report also finds that malware families are expanding beyond banks to target shopping and payment apps, using overlays and accessibility permissions to steal credit card data, intercept one-time passwords (OTPs), and compromise digital wallets. Over 120,000 fake retail apps were identified globally in 2025 – 65 percent mimicking real brands.

Meanwhile, legitimate retail apps continue to expose users and enterprises through misconfigured SDKs, hardcoded private keys, and vulnerable third-party libraries. These are all weaknesses that can be exploited for data theft or remote code execution.

Zimperium warns that these aren’t just consumer scams, but brand risks, and that retailers need to treat mobile security as part of their customer experience strategy, ensuring both their apps and communications are trustworthy and protected.

Nivedita Murthy, senior staff consultant at application security solutions provider Black Duck, says:

Attackers are increasingly targeting retail operators to access customer base information during the holiday season. This time of year is yet another reminder to retailers that emphasizes the need to work on securing business operations as well as customer data to ensure smooth production and uncompromised trust in software. People within an organization tend to be the weakest links and any information gained on customers could be used for future phishing attacks or scams. The fraud industry is thriving, and more and more people are falling victim due to the fact a lot of information on customer activity is available online.

The full report is available from the Zimperium site.

Image credit: Neirfy/Dreamstime.com