Zimperium - Experts & Thought Leaders

Zimperium, the world pioneer in mobile security, now released new threat research exposing a growing wave of mobile-targeted phishing attacks that weaponize PDF documents delivered via SMS and MMS. The findings reveal how threat actors are exploiting user trust in PDFs and gaps in mobile security controls to harvest credentials and sensitive data at scale. Zimperium’s zLabs research team According to Zimperium’s zLabs research team, attackers are increasingly using PDFs as a delivery mechanism for mobile phishing—often referred to as mishing—because the format appears legitimate, is widely used in business communications, and frequently bypasses traditional email- and network-based defenses. When combined with the immediacy of text messaging, these campaigns are proving highly effective. The research details two active campaigns demonstrating the sophistication and speed of modern mobile attacks. One targeted users of EZDriveMA, Massachusetts’ electronic tolling system, using SMS messages with malicious PDF attachments. Attackers rapidly generated more than 2,100 phishing domains using automated techniques to evade blocklists. Zimperium detected and classified these domains with 98.46% accuracy, often hours or days before they appeared on public phishing databases. Malicious infrastructure A second campaign impersonated PayPal using a fake cryptocurrency invoice delivered via PDF, combining phishing links with voice-based social engineering. The attack relied on direct IP addresses, URL obfuscation, and disposable VoIP numbers to evade detection. Zimperium identified and blocked the malicious infrastructure more than 27 hours before it was publicly recognized—highlighting a critical exposure window for organizations relying on reactive security controls. Mobile channels and trusted file formats “These campaigns show how quickly attackers are shifting to mobile channels and trusted file formats to stay ahead of traditional defenses,” said Pablo Morales, security researcher at Zimperium. “PDFs sent over SMS create a dangerous blind spot, especially when security tools don’t inspect files at the device level. Detection speed is now the difference between stopping an attack and responding after credentials are stolen.” Zero-day infrastructure and social engineering Zimperium’s research underscores a broader trend: cybercriminals are prioritizing mobile as part of a mobile-first attack strategy, leveraging zero-day infrastructure and social engineering to reach users where protections are weakest. PDF-based phishing often bypasses email gateways, reputation-based filters, and cloud-only defenses, leaving organizations exposed during the most critical early stages of an attack. Threats by analyzing malicious PDFs Zimperium protects against these threats by analyzing malicious PDFs and embedded links directly on the device, in real time, regardless of how the file is delivered—SMS, email, QR code, or web. This on-device approach enables early detection of both known and zero-day attacks without sending sensitive documents to the cloud. The full research report, PDF Phishing: The Hidden Mobile Threat, includes a detailed analysis of both campaigns and guidance for organizations looking to close mobile security gaps.

Zimperium, the pioneer in mobile security, today announced new research from its zLabs team uncovering DroidLock, a rapidly evolving Android malware campaign targeting users in Spain. Unlike traditional mobile malware, DroidLock behaves more like full-scale ransomware, enabling complete device takeover through screen-locking overlays, credential theft, and remote control capabilities. Android safeguards zLabs researchers found that DroidLock is distributed through phishing websites and begins with a deceptive dropper app designed to bypass Android safeguards and exploit Accessibility Services. Once installed, the malware automatically approves additional permissions, granting access to SMS, call logs, contacts, audio, and more, without the victim’s awareness. HTTP and WebSocket channels After establishing persistence, DroidLock communicates with its command-and-control server using both HTTP and WebSocket channels. Through these channels, attackers can issue any of 15 distinct commands, enabling them to: Lock the device or change the PIN/password Wipe the device through a factory reset Silently capture the victim’s image using the front camera Mute notifications and restrict user interaction Stream the device’s screen and remotely control it via VNC Display ransomware-style full-screen overlays demanding payment within 24 hours Dual overlay mechanisms A notable tactic includes dual overlay mechanisms used to steal lock-patterns and app credentials. DroidLock deploys fast in-memory overlays to capture screen unlock patterns, while WebView-based overlays render attacker-controlled HTML to harvest credentials from targeted apps. The malware also displays a convincing fake Android system-update screen to keep victims from powering off or interrupting the attack. Although the ransomware overlay does not encrypt files, DroidLock can wipe the device entirely, permanently locking users out and enabling indefinite control by the attacker. Intercept one-time passcodes “For enterprises, a compromised device becomes a hostile endpoint,” said Vishnu Pratapagiri, Security Researcher at Zimperium and author of the analysis. “DroidLock can intercept one-time passcodes, change device credentials, wipe data, and remotely control the user interface. Organizations need mobile security that stops these attacks before they disrupt operations or enable account takeover.”

Building on earlier research published in October 2025, Zimperium announced that its zLabs team has uncovered a significantly enhanced variant of ClayRat, an Android spyware family first detailed in the technical brief “ClayRat: A New Android Spyware Targeting Russia”. While the original ClayRat strain was able to exfiltrate SMS messages, call logs, notifications, device data, take photos, and send mass SMS or place calls, effectively allowing infected devices to become distribution hubs. The newly observed variant demonstrates a substantial escalation in functionality and stealth. The updated strain abuses both Default SMS privileges and Accessibility Services, enabling it to: Capture lock-screen credentials (PIN, password, or pattern) and automatically unlock the device. Record the screen via the MediaProjection API. Present deceptive overlays (for example, fake system-update prompts) to prevent user detection. Programmatically initiate taps — blocking the user from powering down or uninstalling the malicious app. Generate fake or interactive notifications, then intercept and exfiltrate responses. This expanded functionality enables full device takeover, making ClayRat far more dangerous than the version first reported,  especially since victims may no longer detect or easily remove the malware. The updated behavior also increases the risk to corporate endpoints: compromised devices could leak corporate credentials, MFA codes, or sensitive enterprise data through hijacked SMS, notification flows, or screen captures. Reliant on phishing webpages  The malware continues to leverage social engineering at scale. As before, ClayRat masquerades as legitimate, widely used applications and services, including major video and messaging platforms, as well as localised or regional services (for example, certain Russian taxi or parking apps). Distribution remains heavily reliant on phishing webpages and sideloaded APKs, including via cloud-storage platforms such as Dropbox. According to zLabs telemetry, more than 700 unique APKs tied to ClayRat have already been identified in a short time window. BYOD environments “ClayRat’s evolution shows exactly why enterprises need protection that works at the device level, not just network-based,” said Vishnu Pratapagiri, lead researcher at zLabs. “By abusing Accessibility Services and overlay tricks, this variant turns Android devices into fully compromised endpoints and conventional defenses may not be enough.” As ClayRat continues to evolve, expanding its spyware, remote-control, and lock-screen manipulation capabilities, enterprises should treat this campaign as a critical reminder: mobile devices, especially in BYOD environments, remain among the most vulnerable entry points for attackers. Zimperium continues to monitor ClayRat and share relevant indicators of compromise with industry partners.