Zimperium, the world pioneer in mobile security, now released new threat research exposing a growing wave of mobile-targeted phishing attacks that weaponize PDF documents delivered via SMS and MMS.
The findings reveal how threat actors are exploiting user trust in PDFs and gaps in mobile security controls to harvest credentials and sensitive data at scale.
Zimperium’s zLabs research team
According to Zimperium’s zLabs research team, attackers are increasingly using PDFs as a delivery mechanism for mobile phishing—often referred to as mishing—because the format appears legitimate, is widely used in business communications, and frequently bypasses traditional email- and network-based defenses. When combined with the immediacy of text messaging, these campaigns are proving highly effective.
The research details two active campaigns demonstrating the sophistication and speed of modern mobile attacks. One targeted users of EZDriveMA, Massachusetts’ electronic tolling system, using SMS messages with malicious PDF attachments.
Attackers rapidly generated more than 2,100 phishing domains using automated techniques to evade blocklists. Zimperium detected and classified these domains with 98.46% accuracy, often hours or days before they appeared on public phishing databases.
Malicious infrastructure
A second campaign impersonated PayPal using a fake cryptocurrency invoice delivered via PDF, combining phishing links with voice-based social engineering.
The attack relied on direct IP addresses, URL obfuscation, and disposable VoIP numbers to evade detection. Zimperium identified and blocked the malicious infrastructure more than 27 hours before it was publicly recognized—highlighting a critical exposure window for organizations relying on reactive security controls.
Mobile channels and trusted file formats
“These campaigns show how quickly attackers are shifting to mobile channels and trusted file formats to stay ahead of traditional defenses,” said Pablo Morales, security researcher at Zimperium.
“PDFs sent over SMS create a dangerous blind spot, especially when security tools don’t inspect files at the device level. Detection speed is now the difference between stopping an attack and responding after credentials are stolen.”
Zero-day infrastructure and social engineering
Zimperium’s research underscores a broader trend: cybercriminals are prioritizing mobile as part of a mobile-first attack strategy, leveraging zero-day infrastructure and social engineering to reach users where protections are weakest.
PDF-based phishing often bypasses email gateways, reputation-based filters, and cloud-only defenses, leaving organizations exposed during the most critical early stages of an attack.
Threats by analyzing malicious PDFs
Zimperium protects against these threats by analyzing malicious PDFs and embedded links directly on the device, in real time, regardless of how the file is delivered—SMS, email, QR code, or web. This on-device approach enables early detection of both known and zero-day attacks without sending sensitive documents to the cloud.
The full research report, PDF Phishing: The Hidden Mobile Threat, includes a detailed analysis of both campaigns and guidance for organizations looking to close mobile security gaps.