Zimperium zLabs has released research on mobile threats, analyzing key trends observed in the past year and providing a comprehensive look at how these threats are evolving. According to the report, outdated operating systems are run on approximately 50% of mobile devices. This could leave devices open to unpatched vulnerabilities, increasing the attack window for malicious actors.

Mobile targeted phishing (mishing) account for nearly one-third of threats analyzed, and SMS phishing (smishing) accounts for more than two-thirds of mishing attacks. Vishing and smishing have risen by 28% and 22%, respectively. Moreover, PDF phishing has become a new, effective attack vector. 

More than 60% of the most prominent Android and iOS third-party components or SDK’s are shipped as precompiled binaries, frequently with missing or partial SBOMs. Malicious actors could poison the mobile supply chain with tampered components.

23.5% of enterprise devices have sideloaded apps, raising the risk of mobile device compromise. 

Below, security leaders weigh in on these findings. 

Security leaders weigh in

Darren Guccione, CEO and Co-Founder at Keeper Security:

The rise of sophisticated and large-scale mobile phishing campaigns reflects the evolving threat landscape targeting mobile users. Cybercriminals are leveraging phishing pages that appear official to exploit users’ trust and the inherent limitations of mobile devices, such as reduced screen visibility. This tactic not only enables credential theft but also evades many traditional defenses, making it a potent threat.

Organizations must adopt a layered security approach to combat such attacks. Employee education is vital for raising awareness about mobile phishing attempts, teaching users to verify sender details, avoid clicking on suspicious links and independently confirm shipping information by navigating to official channels like the company website or app directly. Implementing Multi-Factor Authentication (MFA) adds a critical barrier to prevent unauthorized access even if credentials are compromised. Zero-trust security frameworks with Privileged Access Management (PAM) solutions further mitigate risks by restricting access to sensitive systems, ensuring only authorized users can interact with critical data. 

For mobile devices, deploying real-time mobile threat detection and ensuring devices and applications are updated with the latest security patches can proactively defend against threats. Strong encryption and automated patch management can further protect devices. MDM solutions that enforce compliance and restrict data access based on device health ensure a well-rounded mobile security strategy that goes beyond relying on OS updates alone.

Adam Brown, Managing Consultant at Black Duck:

When it comes to mobile devices, one of the more frequent risks is the extraction of biometric information from the trusted execution environment on the device. For each assessment it is assumed the device could be and would be rooted and that a nefarious third-party app would be present. Typically, weaknesses were found in architecture and code implementations, however, over the years, there have been improvements made by the major device producers in the architecture and software implementations of these devices and ultimately their resilience and security against such attacks.

While improved device resilience and security against malware is very positive, app producers and organizations that rely on mobile devices must understand the risk of the software architecture and code implementation on these devices and take action. Otherwise, the weaknesses introduced at that stage result in vulnerabilities and therefore breaches.

According to the Building Security in Maturity Model (BSIMM15) report, organizations are increasingly prioritizing activities that support compliance. For example, there has been a 22% rise in the number of organizations creating SBOMs for deployed software, and a 67% increase in organizations performing software composition analysis (SCA) on code repositories. BSIMM participants are also protecting the code they publish to improve regulatory compliance. The security activity “protect code integrity” increased by roughly 20% from BSIMM14 to BSIMM15, and “use code protection” increased by about 45%. 

Eric Schwake, Director of Cybersecurity Strategy at Salt Security:

Threat actors find mobile apps appealing for various reasons. These apps often manage sensitive user data such as financial details, personal information, and authentication credentials, which are commonly accessed and transmitted via APIs. Their ubiquitous presence on personal devices makes them prime targets for large-scale cyberattacks. Furthermore, design and development flaws, along with insecure API practices and inconsistent security measures, result in vulnerabilities that can be exploited.

AI-driven attacks pose a risk to mobile apps in several ways. Cybercriminals can leverage AI to streamline identifying and exploiting vulnerabilities within apps or APIs, circumvent existing security protocols using advanced obfuscation and evasion methods, and execute highly personalized phishing or social engineering schemes that evolve based on specific user behaviors. Furthermore, AI can create convincing counterfeit user interactions that can evade bot detection measures.

There is a trend towards integrating in-app protection alongside traditional backend security measures. This trend arises from the understanding that mobile apps are becoming increasingly susceptible to attacks that circumvent backend defenses and strike directly at the app. In-app protection enhances security by reinforcing the app against tampering, reverse engineering and runtime attacks. This method is essential to tackle the changing threat landscape and defend against advanced attacks aimed directly at the app. Additionally, for mobile apps that significantly depend on APIs, it’s vital to incorporate security measures for APIs within the app itself. This encompasses API posture governance to guarantee secure API configurations and access control and behavioral threat protection to identify and thwart harmful API activities originating from the app.

Jason Soroko, Senior Fellow at Sectigo:

One of the reasons some people like to root their Android device or jailbreak their iOS device is to have the ability to sideload applications. Sideloading bypasses the official app store’s rigorous vetting process, leaving devices exposed to malware, unauthorized code, and other security risks. 

With Apple now forced in Europe to allow sideloading, the safety net of curated applications is eroded, increasing the potential for compromised apps and systemic vulnerabilities that attackers can exploit to access sensitive data and undermine device integrity.

Spyware on iOS and Android often hinges on jailbreaking or rooting to breach core security measures. By circumventing built-in OS restrictions, attackers secure elevated privileges that allow them to install and conceal spyware. This malicious procedure typically starts with exploiting a device’s vulnerability or tricking users into compromising their own systems, ultimately enabling the spyware to operate undetected, monitor activities, and extract sensitive data.

J Stephen Kowski, Field CTO at SlashNext Email Security+:

The surge in mobile-targeted phishing attacks highlights the critical need for advanced, AI-driven security solutions that can detect and block sophisticated threats in real-time.

Mobile device security is a critical concern that’s often overlooked in corporate planning. Rather than implementing an all-or-nothing approach to personal devices, companies should consider deploying advanced threat detection that can identify compromised devices, block phishing attempts, and prevent lateral movement within networks without disrupting employee workflows. The real solution requires both technical controls and financial planning — recognizing that secure mobile access is now as essential to knowledge workers as computers were decades ago, and budgeting accordingly for proper protection.

By adopting a proactive approach to mobile security, organizations can significantly reduce their vulnerability to these evolving phishing tactics and better safeguard their sensitive data. Regular security audits and penetration testing can help identify and address vulnerabilities beyond those covered by platform updates.