Lookout Mobile Threat Landscape Report - Q3 2025

Executive Summary: Mobile Risk Has Become a Persistent Baseline

Mobile Telemetry: The Missing Control Plane in the Modern SOC

For today’s Security Operations Center, visibility into mobile risk is no longer optional—it’s foundational. The threat activity outlined in this report reflects a complex reality: mobile devices have become one of the most reliable early access points for attackers seeking to compromise the enterprise through its people.

Threat actors are now weaponizing AI to industrialize social engineering at scale. By harvesting publicly available and organizational data, they generate compelling, error-free SMS messages that create urgency and build trust. Delivered directly to employees’ mobile devices, these attacks bypass traditional perimeter controls and exploit human behavior. One successful interaction—one credential disclosed—is all it takes to pivot into core infrastructure.

Social engineering is only part of the equation. Mobile devices are also targeted through vulnerability exploitation and malware delivery, mirroring—but evolving beyond—traditional endpoint attacks. The result is the deployment of surveillanceware, spyware, trojans, and other covert tools capable of siphoning sensitive data and persistently monitoring high-value individuals, including executives and government personnel.

Legacy SOC operating models were never designed for this reality. Threshold-based response strategies that wait for multiple users or widespread impact fail when a single compromised mobile device can trigger material risk. Mobile-specific threats require earlier detection, greater signal fidelity, and tighter integration with existing SOC workflows.

This report highlights where mobile risk signals appear earliest, what indicators matter most, and how mobile telemetry can be incorporated into existing SOC workflows.

Lookout Threat Intelligence Research Highlights

Mobile Tooling Continues to Mature

Research published by the Lookout Threat Lab during Q3 2025 highlights a continued evolution in mobile threat tooling. Rather than a proliferation of short-lived malware families, researchers observed incremental enhancements to existing capabilities, particularly in persistence, stealth, and data exfiltration from compromised devices.

Across multiple disclosures, common themes included:

• Surveillance and spyware tooling designed for prolonged access, not immediate disruption
• Use of legitimate mobile permissions and services to blend malicious activity into normal device behavior
• Targeting aligned with geopolitical, regulatory, or financial objectives, rather than indiscriminate distribution

These findings reinforce the role of mobile threats as force multipliers within broader campaigns, often operating alongside phishing, impersonation, and account compromise activity rather than in isolation.

Mobile Phishing & Social Engineering: A Stable Threat Floor, Not a Temporary Spike

Mobile phishing and social engineering once again represented the most significant mobile threat category in Q3 2025, both in volume and operational relevance. Unlike earlier reporting periods, which showed quarter-to-quarter volatility, Q3 data reflect a stable, sustained level of exposure across global enterprise environments.

11,363,845

Denylisted and offensive content sites blocked in Q3 of 2025. 

1,214,610

Lookout prevented phishing and malicious web attacks in Q3 of 2025.

While denylisted and offensive content accounted for the majority of observed sites, the sustained presence of more than 1.2 million enterprise-targeted phishing attacks highlights ongoing attacker investment in impersonating enterprise services, identity providers, collaboration platforms, and internal IT workflows.

Phishing and Malicious Content Attacks by Region

Enterprise phishing and web attack activity varied meaningfully by region in Q3 2025:
‍

This distribution suggests that while EMEA continues to sustain high absolute volume, infrastructure expansion and attacker growth are occurring fastest in APAC and LATAM.

This pattern is consistent with earlier-stage enterprise digital transformation and rapid mobile adoption in these regions, which attackers increasingly view as high-opportunity environments.

Mobile Phishing Encounter Rates

Exposure Remains Structurally Elevated

Global mobile phishing and malicious web encounter rates in Q3 2025 remained remarkably consistent with prior quarters, reinforcing the conclusion that organizations are operating against a persistent threat baseline rather than episodic campaigns.

• Global Phishing click rate (all devices): 12.88%
• Four-quarter average: 12.86%

Platform-Level Exposure

As observed consistently across previous quarters, iOS devices experienced significantly higher exposure than Android devices:

• iOS: 16.07%
  
• Android: 7.78%
  

This more-than-twofold difference reflects attacker delivery strategy and enterprise usage patterns, not inherent platform security differences. Notably, iOS encounter rates increased quarter over quarter, while Android exposure declined modestly.

Managed vs Unmanaged Devices

• MDM-managed devices: 12.63%
• Unmanaged devices: 13.61%

Platform-specific differences are more pronounced:

These figures reinforce a recurring conclusion: MDM provides minimal reduction in overall phishing encounter rates but improves baseline hygiene, unless messaging itself is restricted—an impractical option for most enterprises, particularly for organizations that rely on mobile devices for authentication, collaboration, and frontline communication.

Mobile Vulnerabilities

Beyond phishing, attackers exploit human vulnerabilities through system and app vulnerabilities. These vulnerabilities, much like phishing and social engineering, are often exploited via malicious webpages, delivered through similar messaging channels. 

Attackers employ zero-click and one-click exploits on mobile devices, leaving security teams with minimal reaction time when employee devices are compromised. Even though known vulnerabilities are typically patched quickly, end-users often delay updates, creating a significant window for exploitation.

Targeting these vulnerabilities is frequently the initial step in a broader device takeover. Once a device is profiled, usually through the delivery of a malicious webpage, the attacker can then leverage the exploit to bypass the browser sandbox, ultimately gaining control of the device or installing surveillanceware.

10 Most Common Mobile Browser Vulnerabilities in Q3 2025

The most common vulnerabilities, when measured by volume across the mobile landscape, are typically in web browsers. This makes sense, as every mobile device has one.

While not all of the vulnerabilities listed below were zero-days at the time of observation, their prevalence reflects delayed patch adoption and the widespread reuse of vulnerable browser components across mobile applications.