Mobile Threats Surge as Half of Devices Run Outdated Systems, Zimperium Report Finds

Cybercriminals are doubling down on mobile attacks, and organizations may be far less prepared than they realize.

According to Zimperium’s newly released 2025 Global Mobile Threat Report, nearly 50% of mobile devices worldwide are operating on outdated or unsupported operating systems — a critical vulnerability that attackers are increasingly exploiting. The report, compiled from a year's worth of anonymized telemetry gathered by Zimperium’s mobile threat defense and app analysis technologies, paints a stark picture of an enterprise mobile environment under siege.

"As organizations globally have embraced mobile to improve both productivity and customer engagement, cybercriminals have taken notice and have transitioned to a mobile-first attack strategy," said Shridhar Mittal, CEO of Zimperium.

Mobile phishing—especially smishing, or SMS-based attacks—has exploded, now accounting for more than two-thirds of all mobile phishing attempts. Meanwhile, vishing attacks, where attackers use voice calls to manipulate victims, have surged by 28%, and smishing by another 22%. Attackers are increasingly betting on the low vigilance of mobile users and the intimate, fast-paced nature of text-based communication to bypass traditional security measures.

Perhaps more alarming is the slow march of mobile application vulnerabilities. Over 60% of iOS apps and 34% of Android apps reviewed by Zimperium lacked basic code protections, leaving them wide open to reverse engineering and tampering. The report also highlights that nearly 60% of iOS apps and 43% of Android apps analyzed are prone to leaking personally identifiable information (PII)—a goldmine for threat actors.

Despite widespread awareness campaigns about mobile risks, Zimperium’s data suggests that compromised or poorly secured apps are still slipping through defenses. Users continue to sideload apps from unofficial stores, while enterprises often fail to fully secure internally developed apps shared with employees, suppliers, or customers. Even devices running well-secured apps remain vulnerable if the underlying operating system is outdated—a growing problem given that over a quarter of devices today are incapable of upgrading to current OS versions.

The mobile malware landscape also continues to evolve. Trojan activity spiked by 50% year-over-year, fueled by new malware families like Vultur, DroidBot, Errorfather, and BlankBot. Spyware dominated the 2024 threat categories, a reflection of attackers’ growing focus on exfiltrating sensitive data and intercepting credentials and one-time-passwords (OTPs) without users' knowledge.

"The research shows that bad actors targeting mobile devices and apps are constantly evolving their tactics, evading detection, often going unnoticed by enterprises," said Kern Smith, Vice President of Global Solutions Engineering at Zimperium. "To effectively navigate this evolving mobile threat landscape, enterprises need to have real-time threat visibility and comprehensive protection. Adopting a holistic approach that takes into account the entire mobile ecosystem is vital to stay ahead of bad actors looking to exploit enterprises' sensitive data and operations."

The findings underscore a critical reality: as enterprises accelerate mobile adoption—especially in bring-your-own-device (BYOD) environments—security teams must rethink how they monitor, secure, and update the devices and apps employees rely on daily.

The full 2025 Global Mobile Threat Report includes deeper analysis of mobile app vulnerabilities, supply chain threats, and device security risks, offering organizations a roadmap to bolster defenses in an increasingly mobile-first threat landscape.