Report Exposes Soft Security Underbelly of Mobile Computing
Zimperium, this week during the 2025 RSA Conference, shared an analysis of mobile computing environments that finds more than 60% of iOS and 34% of Android apps lack basic code protection, with nearly 60% of iOS and 43% of Android apps also vulnerable to leaking personally identifiable information (PII).
More than 50% of devices are running outdated software or versions of operating systems that are known to be compromised, the report also finds.
Kern Smith, vice president of global solutions engineering at Zimperium, a provider of a platform for securing mobile devices and applications, says the analysis makes it clear that while mobile computing has been pervasively adopted, it has now also become the soft security underbelly of enterprise IT organizations.
Smishing attacks that employ text messages to convince users to share PII data have become especially problematic, he adds. They now account for more than two-thirds (69%) of mobile phishing attacks. Overall, smishing and vishing attacks involving phone calls have increased by 22% and 28%, respectively, according to the report.
Zimperium researchers also observed a 50% increase year-over-year in use of Trojans in attacks, with new banker trojan families being employed, such as Vultur, DroidBot, Errorfather and BlankBot.
Many organizations don’t realize just how vulnerable mobile computing applications and devices actually are, said Smith. End users, for example, might download a consumer application infected with malware onto the same device that is running multiple corporate applications. The odds that malware will jump from one application to another running on the same device are higher than most organizations appreciate, noted Smith.
Cybercriminals, meanwhile, are more adept than ever at creating fake applications and websites through which they distribute malware or simply inject malware documents residing in a shared storage service that will eventually be downloaded onto a mobile device. The challenge is that malware might not be activated until months, even years, later.
The days when organizations would acquire mobile devices from vendors such as Blackberry and issue them to their employees are long over. Most end users are accessing a range of corporate applications using mobile devices that are not especially secure. Even those corporate applications have multiple known vulnerabilities that are easily exploited by cybercriminals who have programming skills, noted Smith.
It’s not clear how much malware might be installed on mobile devices, but cybersecurity teams might want to assume that at this point, they are riddled with it. The challenge then becomes how to identify and thwart threats aimed at targeting the device, while continuing to scan all the code running on that device to identify both existing malware and any vulnerabilities that might eventually be exploited, said Smith.
Hopefully, advances in artificial intelligence (AI) will make it easier to achieve and maintain that goal. In the meantime, however, cybersecurity teams can rest assured that adversaries are leveraging those same technologies to create even more sophisticated attacks that they will be able to launch in even greater numbers against what today are largely unmanaged mobile devices.
