New iPhone, Android Warning—Do Not Open Any Of These PDFs

With the mobile threat landscape getting worse, iPhone and Android users have just been warned that a dangerous attack “exclusively targeting mobile devices” has been caught “stealing credentials and sensitive data.” You are now at risk from “a never-before-seen” means of hiding attacks. Not only do you need to avoid this threat, you also need to consider whether you’ve already been targeted.

The warning comes by way of Zimperium, whose zLabs team has published the full technical detail behind these new attacks. The basics are all you really need to know though. The attackers have crafted PDF files with new techniques that bypass existing security checks, while relying on the ubiquity of such attachments.

ForbesMicrosoft’s Update Decision—Google Disappears On PCs, Androids, iPhonesBy Zak Doffman

The campaign mimics United States Postal Service (USPS) text messages that are sent to mobile devices. But that’s the easiest past of this to change. And so you should stop opening PDFs attached to text messages from any well-known own brand, unless you’re certain they’re legitimate.

Because PDFs are now so ubiquitous, “used extensively for contracts, reports, manuals, invoices, and other critical business communications,” Zimperium warns that “users have developed a natural, but dangerous, assumption that all PDF’s are safe. And now, cybercriminals are actively exploiting that false confidence.” While I would hope that user confidence is already changing, given other PDF attacks over recent months, I fear that Zimperium is probably correct.

As Zimperium points out, this threat is getting worse. “PDFs have become a common vector for phishing attacks, malware, and exploits due to their ability to embed malicious links, scripts, or payloads.” And on mobiles, with small screens and masked detail, the problem is worse. “Users often have limited visibility into file contents before opening, these threats can easily bypass traditional security measures.”

In PDFs, while links “are typically represented using a /URI tag,” the attackers worked out that by “embedding clickable links without utilizing the standard /URI tag,” it became “more challenging to extract URLs during [security] analysis… In contrast, the same URLs were detected when the standard /URI tag was used. This highlights the effectiveness of this technique in obscuring malicious URLs.”

Zimperium says it has identified more than “20 malicious PDF files and 630 phishing pages with “hidden” links, indicating a large-scale operation.” The campaign appears to be supported by a widespread, “malicious infrastructure,” which “could potentially impact organizations across 50+ countries. This campaign employs a complex and previously unseen technique to hide clickable elements, making it difficult for most endpoint security solutions to properly analyze the hidden links.”

ForbesGoogle Play Store Warning—Do Not Keep All These Apps On Your PhoneBy Zak Doffman

Despite its cleverness, the attack itself follows the usual pattern of luring users into clicking a link that takes them to a credential stealing webpage. It’s the link that is masked by the new obfuscation techniques.

PDF phishing attacks are not new, and have been “skyrocketing” in recent years. What’s interesting here is the combination of the new link hiding technique and the focus on mobile devices. Staying safe, though, remains the same. You must not click links or open attachments in text messages. Almost all of them are dangerous.