Mobile Attack Surface Expands as Enterprises Lose Control

The mobile device attack surface is wide, fragmented, and not adequately controlled. There are two sides to any coin. Security is the same. To defend any attack surface, you must understand both the condition of the surface on one side, and also the type and scale of attacks against it on the other. Jamf’s report on mobile devices, a retrospective across 2025, does just this. For one side of the coin, it examines the state of iOS and Android devices from a sample group of more than 1.7 million mobile devices (from within its own customer footprint). For the other side, it examines adversarial activity against mobile devices (drawn from its own research and global, national, and industry events). The playing field Enterprises are expanding their use of mobile devices, and they collect some very sensitive data. “Healthcare practitioners make visits and collect sensitive data from their patients; airplane pilots and flight crews use mobile devices in preparing and piloting an aircraft with passengers on board; retail uses mobile devices for point of sale, inventory management, warehousing and more,” explains Michael Covington, VP of Portfolio Strategy at Jamf. The software sophistication is also increasing. The operating systems are becoming more like desktop operating systems with their own file systems. The apps can be powerful with always on access to sensitive tools such as Salesforce; and collected data can be held locally until uploaded to the enterprise network. Mobile devices are both a rich source of data in themselves and a steppingstone into the enterprise for adversaries. The state of mobile devices The extent of mobile device security failings uncovered by Jamf is sobering, covering both personal devices and company issued devices. Fifty-three percent of the organizations had at least one device being used with a critically out-of-date operating system while 18% had employees that connected to risky hotspots. One in every 850 devices had been jailbroken. Eight percent of the devices had clicked on a phishing link — and this, put into perspective, means that any company with 100 employees with mobile devices at work had eight employees at serious risk of being phished. Mobile device apps add to the problem. The latest version of 135 popular apps were analyzed on December 31, 2025. “About 86% of the 135 apps analyzed have known security flaws, with only 14% considered to have minimal risk. This implies that risk is prevalent in the most common business and personal apps used daily, even on the latest versions,” reports Jamf. Some of the apps contain multiple vulnerabilities. But there is a new and growing risk from apps – the delivery of unrecognized Shadow AI. By definition, neither the user nor the security team are aware of the presence or activity of Shadow AI, it just silently and invisibly arrives within third-party apps. This is a particular concern for side-loaded apps, but almost certainly also occurs in apps obtained from official app stores. “I think shadow AI is absolutely a growing risk that needs to be better managed. I think we’re getting more informed as to how it comes into the organization and how widespread the problem might be, but I don’t think we’re even at the start of being able to get this fully under control,” warns Covington. Adversarial activity Mobile devices are clearly high risk, high value targets for bad actors; and Jamf’s research shows attackers using sophisticated attacks. The better known spyware targeting mobile devices during 2025 include Predator, Pegasus, Graphite, Dante, Landfall, and Spyrtacus. In 2026, we can already add Coruna and DarkSword. Some of these were originally developed by commercial spyware firms primarily for use for nation state surveillance, but are also used by financially motivated cyber criminals. Zero-click attacks are popular among adversaries, especially against journalist and executive targets. CVE-2025-43300, with a severity score of 10.0, can lead to memory corruption in iOS simply by parsing an image. CVE-2025-24201 is another vulnerability with a severity score of 10.0. The latter can also cause memory corruption or allow an attacker to modify data to execute unexpected code. Noteworthy Android vulnerabilities appearing in 2025 include CVE-2025-10585 (9.8) which can lead to memory rewrites, crashes and possibly code execution; CVE-2025-48543 (8.8) which could lead to local escalation of privilege with no additional execution privileges needed; and CVE-2024-53104 (7.8) which can lead to out of bounds writes that can cause memory corruption or allow an attacker to modify data to execute unexpected code. Most of the risks described in the report can be defended, but it is clear that individual mobile device users are not always taking the necessary steps. OS vendors patch the CVEs and release frequent OS updates to improve their security. But remember that 53% of the organizations associated with Jamf’s device analysis “had at least one device with a critically out-of-date operating system”; and it takes only one compromised device to potentially threaten the corporate data stores. Lessons The purpose of the report is not simply to describe what was happening last year, but to demonstrate the complexity and difficulty that comes with the expanding mobile device attack surface. This report shouldn’t be considered as a simple historical record, but as a living and ongoing metaphor.  “Security is a moving target,” comments Covington. “As we learn more about the techniques that the attackers are using, we refine our defenses.” So far, as this Jamf report indicates, attackers are outpacing defenders. This will continue until and unless enterprises gain better control over their mobile estate.  In many cases, enterprises aren’t aware of the size or complexity of that estate. “So, having a mobile device inventory, understanding how those devices are configured, and having the right control points where you can implement software updates, operating system patches, security fixes, make sure that they’re all in place, and doing so in an ongoing basis is really what we’re focused on helping organizations do here,” he said. By looking back, Jamf is illustrating the complexity of the task ahead. Related: FBI Warns of Data Security Risks From China-Made Mobile Apps Related: MITRE Unveils ATT&CK v18 With Updates to Detections, Mobile, ICS Related: Mobile Security: Verizon Says Attacks Soar, AI-Powered Threats Raise Alarm Related: Approov Raises $6.7 Million for Mobile App Security WRITTEN BY Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks Venom Stealer Raises Stakes With Continuous Credential Harvesting Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise  Silent Drift: How LLMs Are Quietly Breaking Organizational Access Control AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link DoE Publishes 5-Year Energy Security Plan Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury Hacker Conversations: Ben Harris, From Unintentional Young Hacker to Intentional Adult CEO Latest News Critical ShareFile Flaws Lead to Unauthenticated RCE React2Shell Exploited in Large-Scale Credential Harvesting Campaign T-Mobile Sets the Record Straight on Latest Data Breach Filing North Korean Hackers Drain $285 Million From Drift in 10 Seconds Critical Vulnerability in Claude Code Emerges Days After Source Leak Apple Rolls Out DarkSword Exploit Protection to More Devices Cybersecurity M&A Roundup: 38 Deals Announced in March 2026 Cisco Patches Critical and High-Severity Vulnerabilities Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind. Dragos has appointed Kaori Nieda as Country Manager in Japan. Moderna has promoted Farzan Karimi to Deputy Chief Information Security Officer. More People On The Move Expert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Email