It seems realistic to me. Just send a phishing SMS ("Your bill of $103.54 is due TODAY: http://payments-comcast.net/83954583"), hope the user clicks it, have the webpage exploit one of the numerous iOS Safari vulnerabilities, and you are done. There are tons of vulnerabilities in smartphone browsers: iOS 7.1.2 alone fixed 28 UNIQUE VULNERABILITIES in Webkit (http://support.apple.com/kb/HT6297) 7.1.2 was released merely 2 months after 7.1.1, so at least 3 vulnerabilities are discovered and fixed every week.