Lookout Mobile Threat Landscape Report - Q1 2025
Executive Summary: The Rising Tide of Human Risk
The Q1 2025 Lookout Mobile Threat Landscape Report highlights emerging human risk and AI as the primary drivers of security threats. Building on the "canary in the coal mine" concept from our 2024 Annual Report, this most recent report emphasizes that attackers are targeting individuals through their mobile devices early in their attacks – exploiting the native trust we have in these devices and our natural tendencies to engage with communications that drive curiosity. Modern attacks have evolved from relying on malware and vulnerabilities to leveraging AI-strengthened social engineering, which exploits inherent human instincts and conditioning.
The report reveals significant statistics, including over one million mobile phishing and social engineering attacks on enterprise users, and with new and enhanced malware protections and a spotlight on device misconfigurations, the findings reiterate that comprehensive mobile security is crucial for modern enterprises. Bundled all together, the complexities of mobile ecosystems require a two-pronged approach that can fight AI while also feeding critical data into existing SIEM, SOAR, and XDR platforms.
Researchers in the Lookout Threat Lab note some particularly concerning findings that show the importance of getting ahead of the modern threat actor.
This report is a summary of our findings from the first quarter of 2025, and proves that mobile threats must be thought of as a significant part of the modern day enterprise security strategy.
Nobody knows the mobile threat landscape like Lookout.
Lookout Threat Intelligence Research Highlights
Lookout Threat Lab researchers have discovered a novel Android surveillance tool, dubbed KoSpy, which appears to target Korean and English-speaking users. The spyware, attributed with medium confidence to the North Korean APT group ScarCruft (also known as APT37), is a relatively new family with early samples going back to March 2022.
The most recent samples were acquired in December 2024.
ScarCruft is a North Korean state-sponsored cyber espionage group active since 2012. While primarily targeting South Korea, it has also conducted operations in countries including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several Middle Eastern nations.
Mobile Phishing & Social Engineering: The Ultimate Human Exploit
Employees have long been recognized as the weakest link in enterprise cybersecurity strategies. Our natural human oversight, inevitable missteps, and constantly shifting focus in the work environment make us the perfect target for cybercriminals. Most recently, malicious actors have realized that the most direct way to exploit this human behavior is by targeting individuals on their mobile devices with mobile-focused social engineering attacks.
These attacks exploit fundamental human instincts—such as trust, curiosity, and urgency—to manipulate individuals into disclosing sensitive information, sharing credentials, granting device access, or otherwise compromising their digital security.
And building a highly scalable and effective tool to execute these social engineering campaigns isn’t that complicated. All an attacker needs is a single-use license of a couple of sales prospecting tools, a LinkedIn scraper, and employee phone numbers that have inevitably been leaked as part of a data breach. Run this through an AI tool that can build short, convincing SMS messages based on the context of an organization and the attacker is in business.
REAL WORLD EXAMPLE: SCATTERED SPIDER
The group is notorious for leveraging a vicious combination for SMS phishing (smishing) and voice phishing (vishing) to trick employees into giving up their login credentials and single sign-on tokens. Despite being known for these tactics, most guidance on protecting against Scattered Spider focuses on everything that happens after the actor has compromised a group of employees and gained access to sensitive apps and data.
To learn more about how to protect against the initial attack vectors that Scattered Spider uses, read this guidance from Lookout.
The iOS Walled Garden Drives More Phishing & Social Engineering
Apple is widely known for taking a walled garden approach to its operating systems - particularly with iOS and iPadOS. Doing so allows Apple to have control over its ecosystem, which they claim leads to a more secure experience. While this lessens the likelihood of an iOS device being infected with commodity malware, it does nothing for mobile phishing and social engineering attacks. In Q1, there were almost twice as many encounters with malicious web content, social engineering, or phishing sites on iOS than Android.
.png)
PRO INSIGHT
Top 10 Industries Targeted (iOS & Android)
.png)
It might come as a surprise that insurance, energy & utilities, and legal services top the list for mobile phishing encounters, despite the expectation that highly regulated sectors like healthcare and financial services would. This discrepancy could be due to attackers targeting the human layer within these industries. Insurance and legal services handle highly personal data and large sums of money, making employees prime targets for exploitation and data theft, which can be used for blackmail or other malicious purposes.
Real world incident: Scattered Spider Targets Insurance Companies
In the energy & utilities sector, the risk extends beyond data theft to potential infrastructure disruption. Phishing attacks against employees at regional electric grids or water providers can grant attackers access to internal systems, enabling them to threaten essential services shutdown for ransom. This direct access to critical infrastructure, combined with the human vulnerability factor, makes these sectors highly attractive targets for cybercriminals, resulting in elevated mobile phishing encounter rates.
Customer Spotlight on Phishing Encounter Rates
Industry: Financial Services
Devices Protected with Lookout: 60,000
Deployment: Android & iOS, Managed & Unmanaged
MDM: Microsoft Intune
Timeframe: January 1st, 2025 - March 31st, 2025
Mobile Vulnerabilities
While one might perceive phishing as the only way that an attacker would exploit the human layer, vulnerabilities are another threat vector tied to the human risk landscape.
Threat actors find vulnerabilities, whether in operating systems or apps, to be excellent entry points. Much like mobile phishing and social engineering, they can often be exploited by a maliciously crafted webpage, which would be delivered via the same messaging mechanisms used for phishing and social engineering.
Attackers leverage zero-click and one-click exploits in the mobile environment, leaving security teams little to no reaction time when employee devices are vulnerable. While known vulnerabilities may be patched within weeks, end users often delay updating, creating a significant exploitation window.
Targeting these vulnerabilities is often the first step in executing a broader device takeover. Once the device is profiled, usually via delivery of a maliciously crafted webpage, the attacker can then leverage the exploit to escape the browser sandbox and eventually take over the device or install surveillanceware.
10 Most Common Mobile Browser Vulnerabilities in Q1 2025
Vulnerabilities within the browser engines and components of mobile devices pose a significant security risk, potentially allowing remote code execution by malicious actors. These exploits frequently originate from compromised web pages delivered via messaging applications, making mobile devices susceptible to various attacks.
The following vulnerabilities are identified by the Lookout detection name:
MultiApp-MultiCVE-2025-0434-0438
A series of vulnerabilities in various components of the Chrome mobile browser including V8, Navigation, Skia, Metrics, and Tracing.
MultiApp-MultiCVE-2024-12381-12382
Two vulnerabilities in Chrome - one type confusion bug in V8 and one use after free in Translate.
MultiApp-CVE-2024-12053
A type confusion bug in the underlying V8 Javascript engine in Chrome that can be exploited via crafted webpage.
MultiApp-MultiCVE-2024-9954-9966
A use-after-free vulnerability in components of Chrome such as AI, WebAuthentication, and UI
MultiApp-MultiCVE-2024-9602-9603
A type confusion bug in the underlying V8 Javascript and WebAssembly engine in Chrome that can be manipulated and is exploitable by threat actors.
MultiApp-CVE-2024-7971
A type confusion bug in the underlying V8 Javascript and WebAssembly engine in Chrome that can be manipulated and is exploitable by threat actors.
MultiApp-MultiCVE-2024-10826-10827
Two use after free vulnerabilities in Family Experience and Serial components of Chrome.
MultiApp-CVE-2024-5274
A type confusion bug in the underlying V8 Javascript engine in Chrome that could allow attackers to execute arbitrary code on the device via a crafted HTML page.
MultiApp-CVE-2023-6345
Integer overflow in Skia in Google Chrome allows an attacker who had compromised the renderer process to perform a sandbox escape via a malicious file.
MultiApp-CVE-2024-0519
Out of bounds memory access in V8 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Pro tip
Mobile Malware
Mobile malware families vary widely in how they are presented to the victim and what data they target. Some share fundamental similarities with traditional infostealers, employing tactics like screen overlays, keylogging, and credential compromise to steal data and access larger payloads. There’s also the risk of app-based phishing where a malicious app is merely a copycat webview of a legitimate site and asks the user to log in.
Spyware and surveillanceware further amplify the risk with capabilities such as location tracking, data theft, and unauthorized access to microphones and cameras. These threats effectively allow malicious actors to maintain constant surveillance of employees, thereby exposing sensitive organizational data and personnel to significant danger.
5 Most Encountered Malware Families of Q1
Triada
Classification: Trojan
Platform: Android
Triada secretly controls the device and exfiltrates sensitive user data to a third party. This can include a variety of data including text messages, call logs, and contacts.
MoneytiseSDK
Classification: Trojan
Platform: Android
This monetization SDK is embedded into applications and offers to turn your phone into a proxy allowing the developers to make money by routing unvetted network traffic through your device's data connection.
ChoiceClick
Classification: Click Fraud
Platform: Android
This malware is capable of automatically clicking on ads. This can lead to a disrupted user experience and increased network usage.
WAPDropper
Classification: Toll Fraud
Platform: Android
This application will download and execute code from a remote server. This can lead to malicious behaviour and result in unexpected charges on the device's bill.
Coper
Classification: Spyware
Platform: Android
This application can forward stored and received text messages to a third party, forward received calls, steal banking credentials, and install other apps. This can lead to financial fraud, a loss of privacy, and a disrupted user experience.
Customer Spotlight on Vulnerabilities
Industry: Federal Government
Devices Protected with Lookout: 50,000
MDM: Microsoft Intune
Timeframe: January 1st, 2025 - March 31st, 2025
SOC Teams Need to Know Mobile Malware
Mobile threat intelligence enhances security operation centers (SOCs), threat research organizations, and incident response teams by providing visibility into the complex world of mobile malware, a capability many of these groups lack.
Lookout's Threat Intelligence team leverages the world’s largest mobile security dataset to detect and protect against the most dangerous mobile malware families. Thanks to this depth of data, researchers frequently see overlap between desktop and mobile malware. In the context of a SOC team, this helps identify mobile components of desktop malware campaigns and vice-versa, which in turn helps identify and protect against cross-platform attacks.
Mobile device security must now be a priority for security teams, given the increased availability of sophisticated malware, the development of state-sponsored mobile malware, an unprecedented number of iOS zero-day vulnerabilities, and a significant reliance on mobile social engineering.
PRO TIP
Lookout utilizes advanced AI and machine learning technology, combined with proprietary data and analysis, to deliver comprehensive mobile cyber attack protection. Our threat intelligence safeguards your mobile devices from the latest threats.
Interactive demo: How to conduct proactive research on mobile malware
Most critical threat families of Q1 2025
LonelyAgent
Classification: Surveillanceware
Platform: Android
This surveillance tool can forward data such as text messages, contacts, and call logs to a third party. It can also record the device screen and audio, which can lead to passwords being stolen, enterprise data leaking, and private information being uncovered.
FakeCRM
Classification: Trojan
Platform: Android
This trojan can record the device’s screen, perform scripted actions on the user’s behalf without their own action, and install additional apps. This can lead to a loss of privacy and/or financial loss.
SparkCat
Classification: Trojan
Platform: Android
This trojan can be integrated with apps that appear to be legitimate, but are not. While its main target is financial data, it can also exfiltrate photos and other data off of the device to be shared with unknown third parties.
UpBanker
Classification: Trojan
Platform: Android
This trojan targets user data and financial information by requesting sensitive information from the user and sharing it with unknown third parties. This can lead to account compromise across any work app should the actor choose to target corporate credentials.
NativeWorm
Classification: Surveillanceware
Platform: Android
This surveillance tool runs secretly in the background and monitors user activity on the device. It collects data such as text messages, contacts, call logs, device data, network information, and more. This data is then uploaded to a remote server to be leveraged against the individual.
Device Risks
In addition to phishing, apps, and malware, there are misconfigurations that can occur and open up the entire device to being taken over. This can range from simple device settings to advanced malware that gains root admin access to the device.
Top device misconfigurations
The risks posed by security misconfiguration vulnerabilities can have serious consequences for users. Security misconfigurations can leave a device and the data on it vulnerable to known and unknown exploits.
Out of Date OS
Out of date operating system (OS) versions, especially on iOS devices, can leave a device and the data on it vulnerable to known and unknown exploits.
Out of date ASPL
Android Security Patch Levels (ASPLs) are released by Google to patch new and known vulnerabilities in Android apps, Android OS, and even hardware components.
No device lock
Locking a mobile device is a basic form of securing it. Some users might disable the device lock to make it easier to open their device, which is a security risk.
Unencrypted
This implies that the device doesn’t have a password, pin, biometric recognition, or pattern authentication enabled.
Device Operating System (OS) Threats
Modifying or circumventing a device's security protections through jailbreaking or rooting can disable security features of the operating system, expose the device to malware and potential exploitation, and carries the risk of rendering the device inoperable. While some users intentionally perform these actions, malicious actors can also remotely or through physical access compromise devices and covertly transform them into surveillance tools. This tactic, particularly prevalent in advanced persistent threat (APT) campaigns linked to cyberespionage and state-sponsored attacks, is exemplified by the operational methods of NSO Group's Pegasus surveillanceware.
.png)
