82% of all phishing sites now target mobile devices. The figure comes from Zimperium's 2024 zLabs Global Mobile Threat Report, which also shows that 76% of these sites use HTTPS, tricking users into thinking the sites are secure.
Additionally, the report reveals a sharp increase in unique malware samples, which surged 13% year-on-year, with riskware and trojans accounting for 80% of the threats. Healthcare remains the most affected industry, with 39% of mobile threats stemming from phishing attacks.
Cybercriminals are using mobile-first strategies to infiltrate enterprise systems. They exploit weak mobile endpoints, leveraging smaller screens and limited security indicators to deceive users into revealing sensitive information.
"It's undeniable that mobile devices and applications have become the most critical digital channels to protect," said Shridhar Mittal, Zimperium's CEO. "In today's digital age, where 71% of employees leverage smartphones for work tasks, enterprises must effectively protect their mobile endpoints by adopting a multi-layered security strategy including mobile threat defense and mobile app vetting."
Fast Evolution of Phishing and Sideloading Risks
The report also points to the fast evolution of phishing sites. Nearly a quarter of mobile phishing sites go live within 24 hours, operating under the radar of traditional detection methods.
Read more about mobile phishing: Novel Phishing Method Used in Android/iOS Financial Fraud Campaigns
Sideloaded apps—installed outside official stores—pose an additional risk to enterprises. Financial services are especially vulnerable, with 68% of threats linked to sideloaded apps. According to the report, users who engage in sideloading are 200% more likely to encounter malware.
APAC leads in sideloading risks, with 43% of Android devices in the region installing apps from non-official sources.
Platform Vulnerabilities on the Rise
The rise in platform vulnerabilities further complicates mobile security. In 2023, the report identified 1,421 Common Vulnerabilities and Exposures (CVEs) in Android devices, a 58% increase from the previous year. Sixteen of these vulnerabilities were exploited in real-world attacks. iOS devices showed 269 CVEs, with 20 being actively exploited.
Experts agree that companies need to adopt more advanced security solutions.
"Mishing attacks and mobile malware are increasingly evading detection," noted Chris Cinnamo, Zimperium's senior VP of product management.
"To effectively navigate this evolving mobile threat landscape, enterprise security teams must prioritize attacks targeting employee mobile devices. Without proactive measures, these attacks will continue to weave into enterprises, exploiting the sensitive data and disrupting organizational operations."