Mobile security is a frontline risk. Are you ready?

The mobile threat landscape has shifted. According to Zimperium’s 2025 Global Mobile Threat Report, attackers are now prioritizing mobile devices over desktops. For enterprises, mobile is no longer a secondary risk. It’s now one of the primary attack surfaces.

CVE data for iOS and Android OS versions (Source: Zimperium)

Mobile phishing (mishing) is surging

One-third of mobile threats are phishing-based attacks, called mishing. SMS phishing (smishing) makes up over two-thirds of these. Attackers are also using new tricks, like sending malicious PDFs to hide phishing links. The United States remains the most targeted region, making American businesses especially vulnerable.

Recommendation: Deploy AI-based mobile threat defense tools. Train employees to recognize phishing attempts, especially through text messages and PDFs. Regularly update your training as attack methods evolve.

Sideloaded apps and outdated devices create serious risk

Nearly 25 percent of enterprise devices have sideloaded apps. These apps are installed outside official app stores. Many are fake or tampered versions of legitimate apps that secretly steal data or install malware.

At the same time, about 25 percent of mobile devices in use cannot upgrade to the latest OS versions. This leaves them permanently vulnerable to known exploits.

Recommendation: Set policies to vet third-party apps before allowing them on enterprise devices. Restrict sideloading wherever possible. Decommission devices that cannot get OS updates even if they are still working to avoid hidden vulnerabilities.

Work apps are a weak link

Zimperium found that 23 percent of apps used on work devices communicate with servers in high-risk or embargoed countries. Many work apps do not encrypt communications properly or mishandle sensitive data like location, contacts, and text messages.

Even apps built in-house are often insecure. Most mobile apps lack strong protections like code obfuscation or runtime security checks. More than 60 percent of Android apps rely on basic, free security tools. On iOS, 60 percent of apps have no code protection at all.

Recommendation: Continuously vet third-party apps. Not just once at install, but every time they update. Review app permissions and data flows. For internally built apps, move away from free tools. Invest in strong binary protection, secure communications, and device attestation.

Device attestation is now critical

The report stresses one point repeatedly. Even secure apps cannot protect themselves if they run on compromised devices. Rooted, jailbroken, or malware-infected devices can bypass security at the device level. Without device attestation, apps cannot tell if they are running in a safe environment.

Recommendation: Require device attestation for all critical mobile apps, both third-party and in-house. Make it a standard part of your mobile app development lifecycle.

“As organizations globally have embraced mobile to improve both productivity and customer engagement, cybercriminals have taken notice and have transitioned to a mobile-first attack strategy,” said Shridhar Mittal, CEO, Zimperium. “Since 70% of organizations support BYOD and actively build mobile apps for both employees and customers, reducing the mobile attack surface requires a mobile security strategy covering both mobile devices and mobile applications.”

Mobile security can no longer be treated like a side project. Mobile devices must be protected with the same level of focus as traditional endpoints. That means layered security, continuous monitoring, and strong policy enforcement.

The threats are here now. Defenses must be too.