Threats Lurking in Common Files: PDFs, Phishing, and Fake Apps

Each spring, leading cybersecurity vendor SonicWall releases its annual Threat Report. Using data from across its global installation base as well as other expert sources, SonicWall's report provides guidance for future cybersecurity investments as well as advice on limiting disruption from cyber attacks.

In its 2025 report, the vendor highlighted common threats found in everyday files that can slip by even the most aware employees. File-based cyber attacks, specifically malicious PDFs and HTML phishing pages, gained momentum in 2024, with statistics showing that 38% of malicious files are HTML-based, with compromised PDFs closely behind at 22%. Also on the rise: Counterfeit mobile apps that trick users into entering payment and personal data.

Interested in the full report? Download your copy now

How Attackers Use Malicious PDFs to Trick Users

Most data breaches start with human error, and cyber criminals continue to find new ways to slide past network defenses using commonplace files such as emails, PDFs, and QR codes that depend on that human factor. Bad actors use this approach because it's easy to evade security and exploit employees to steal valuable info such as login credentials or slip ransomware onto unguarded devices.

The most common approach lures victims to phishing sites through embedded QR codes inside malicious PDFs that appear to be from trusted sources. Once the victim scans the QR code, he or she is redirected to what appears to be a legitimate login page. In reality, the credentials entered are sent to hackers and used to further access IT environments or personal data.

HTML Phishing Techniques Go Hand in Hand with Malicious PDF Attacks

Malicious PDF attacks using QR codes are often successful because of sophisticated HTML web pages that only further extend the appearance of a legitimate ask in the compromised PDF.  These phishing pages often prefill the victim's email address to lend authenticity before prompting the user to enter their password. While some attacks are content with the victim's credentials, others download malware onto the network or device of the victim, or send follow-up emails that deliver other types of threats.

Other tricks include spoofing vendors commonly trusted by employees, such as Microsoft or a local banking institution. Much like common phishing email tactics, these spoofed websites may have only one small element out of place, such as an added or missing letter in a trusted URL or a slightly misspelled name. HTML files are a common format for web pages and can bypass some email security filters, making them a preferred method for attackers and an especially popular ransomware delivery method.

Preventing HTML-based Phishing and Credential Theft

With such sophisticated, sneaky tactics, protecting yourself and your company requires awareness. Common steps to avoid problems include:

• Be wary of every email: Don't open or click links or attachments from unknown or untrusted sources. 
• Check for common red flags: Take a few extra minutes to look for poor grammar, spelling errors, and generic greetings in emails. In particular, be skeptical of URLs and look for "reply to" emails that don't match the content or source.
• Verify websites: Rather than clicking on links, type the address of a website directly into your browser. 
• Keep your defenses high: Use strong passwords and enable multifactor authentication wherever possible, especially with cloud-based applications.
• Update software regularly: Follow a set schedule to update your operating system and security software, but also watch for alerts and patches for new vulnerabilities. 

Recognizing Counterfeit Mobile Apps

Gaining momentum last year was the use of fake mobile apps to compromise devices. These fake apps can be used for data theft, malware infection, financial scams, identity theft, and more:

• Access to Sensitive Information: Fake apps can ask for expanded permissions, such as access to your contacts, location, camera, microphone, or financial data, which can then be exploited for malicious purposes. Once installed, counterfeit apps can collect and transmit personal data, including usernames, passwords, credit card details, and more. 
• Fraud: Apps impersonating legitimate platforms to trick users into investing money or sharing financial details, leading to big losses. Other counterfeit apps charge users for unwanted services or subscriptions. 
• Ransomware Attacks: Once installed, some fake apps are a favorite ransomware delivery method. Once installed on your device, ransomware can encrypt or lockdown device data and demand a ransom for its release. Similarly, they can take over your device, allowing bad actors to take control of your phone and its data. 

How to Spot and Avoid Fake Apps

Much like phishing emails and HTML pages, counterfeit apps are typically built to look and act like a trusted vendor app. And similar to those other tricky approaches, the best defense is to be overly skeptical about any download.  Other tips for protecting yourself from fake mobile apps:

• Download apps from reputable sources, such as the Google Play Store or Apple App Store, that have security measures in place to filter out malicious apps. 
• Before granting permissions, carefully review what access the app is asking for and consider why that access might be needed, given the app's purpose. 
• Pay attention to the download count. Some security vendors advise against any app with fewer than 5,000 downloads.
• Pay close attention to the app's name, icon, and developer information; watch for slightly misaligned spelling and naming conventions and discrepancies in the app icon. There may also be odd photos and misspelled words in the counterfeit app descriptions and screenshots.
• Use a reputable mobile security app to scan for and block fake apps.

Cybersecurity Awareness Key to Avoiding File-Based Attacks

Cybersecurity best practices for guarding against these growing threat types may seem simple, but they are effective. Taking the extra time to review spelling, URLs, researching company names online, and manually typing in URLs to test them don't seem like much, but those easy steps can protect you and your employees from opening the door to bad actors. Cybersecurity awareness training for employees can be key to providing reminders for employees and keeping them updated on new types of threats and common tricks.