The mobile device attack surface is wide, fragmented, and not adequately controlled.
There are two sides to any coin. Security is the same. To defend any attack surface, you must understand both the condition of the surface on one side, and also the type and scale of attacks against it on the other.
Jamf’s report on mobile devices, a retrospective across 2025, does just this. For one side of the coin, it examines the state of iOS and Android devices from a sample group of more than 1.7 million mobile devices (from within its own customer footprint). For the other side, it examines adversarial activity against mobile devices (drawn from its own research and global, national, and industry events).
The playing field
Enterprises are expanding their use of mobile devices, and they collect some very sensitive data. “Healthcare practitioners make visits and collect sensitive data from their patients; airplane pilots and flight crews use mobile devices in preparing and piloting an aircraft with passengers on board; retail uses mobile devices for point of sale, inventory management, warehousing and more,” explains Michael Covington, VP of Portfolio Strategy at Jamf.
The software sophistication is also increasing. The operating systems are becoming more like desktop operating systems with their own file systems. The apps can be powerful with always on access to sensitive tools such as Salesforce; and collected data can be held locally until uploaded to the enterprise network.
Mobile devices are both a rich source of data in themselves and a steppingstone into the enterprise for adversaries.
The state of mobile devices
The extent of mobile device security failings uncovered by Jamf is sobering, covering both personal devices and company issued devices. Fifty-three percent of the organizations had at least one device being used with a critically out-of-date operating system while 18% had employees that connected to risky hotspots. One in every 850 devices had been jailbroken. Eight percent of the devices had clicked on a phishing link — and this, put into perspective, means that any company with 100 employees with mobile devices at work had eight employees at serious risk of being phished.
Mobile device apps add to the problem. The latest version of 135 popular apps were analyzed on December 31, 2025. “About 86% of the 135 apps analyzed have known security flaws, with only 14% considered to have minimal risk. This implies that risk is prevalent in the most common business and personal apps used daily, even on the latest versions,” reports Jamf. Some of the apps contain multiple vulnerabilities.
But there is a new and growing risk from apps – the delivery of unrecognized Shadow AI. By definition, neither the user nor the security team are aware of the presence or activity of Shadow AI, it just silently and invisibly arrives within third-party apps. This is a particular concern for side-loaded apps, but almost certainly also occurs in apps obtained from official app stores.
“I think shadow AI is absolutely a growing risk that needs to be better managed. I think we’re getting more informed as to how it comes into the organization and how widespread the problem might be, but I don’t think we’re even at the start of being able to get this fully under control,” warns Covington.
Adversarial activity
Mobile devices are clearly high risk, high value targets for bad actors; and Jamf’s research shows attackers using sophisticated attacks. The better known spyware targeting mobile devices during 2025 include Predator, Pegasus, Graphite, Dante, Landfall, and Spyrtacus. In 2026, we can already add Coruna and DarkSword. Some of these were originally developed by commercial spyware firms primarily for use for nation state surveillance, but are also used by financially motivated cyber criminals.
Zero-click attacks are popular among adversaries, especially against journalist and executive targets. CVE-2025-43300, with a severity score of 10.0, can lead to memory corruption in iOS simply by parsing an image. CVE-2025-24201 is another vulnerability with a severity score of 10.0. The latter can also cause memory corruption or allow an attacker to modify data to execute unexpected code.
Noteworthy Android vulnerabilities appearing in 2025 include CVE-2025-10585 (9.8) which can lead to memory rewrites, crashes and possibly code execution; CVE-2025-48543 (8.8) which could lead to local escalation of privilege with no additional execution privileges needed; and CVE-2024-53104 (7.8) which can lead to out of bounds writes that can cause memory corruption or allow an attacker to modify data to execute unexpected code.
Most of the risks described in the report can be defended, but it is clear that individual mobile device users are not always taking the necessary steps. OS vendors patch the CVEs and release frequent OS updates to improve their security. But remember that 53% of the organizations associated with Jamf’s device analysis “had at least one device with a critically out-of-date operating system”; and it takes only one compromised device to potentially threaten the corporate data stores.
Lessons
The purpose of the report is not simply to describe what was happening last year, but to demonstrate the complexity and difficulty that comes with the expanding mobile device attack surface. This report shouldn’t be considered as a simple historical record, but as a living and ongoing metaphor.
“Security is a moving target,” comments Covington. “As we learn more about the techniques that the attackers are using, we refine our defenses.” So far, as this Jamf report indicates, attackers are outpacing defenders. This will continue until and unless enterprises gain better control over their mobile estate.
In many cases, enterprises aren’t aware of the size or complexity of that estate. “So, having a mobile device inventory, understanding how those devices are configured, and having the right control points where you can implement software updates, operating system patches, security fixes, make sure that they’re all in place, and doing so in an ongoing basis is really what we’re focused on helping organizations do here,” he said.
By looking back, Jamf is illustrating the complexity of the task ahead.
Related: FBI Warns of Data Security Risks From China-Made Mobile Apps
Related: MITRE Unveils ATT&CK v18 With Updates to Detections, Mobile, ICS
Related: Mobile Security: Verizon Says Attacks Soar, AI-Powered Threats Raise Alarm
Related: Approov Raises $6.7 Million for Mobile App Security
