The summer brings with it a surge in employee travel around the globe. Much of this travel is related to work, such as meeting with clients, attending conferences, and visiting sites. Even among the employees who are traveling for personal reasons and taking vacations, many still access work-related accounts while traveling. Mobile security company Zimperium recently released its 2025 Global Mobile Threat Report, detailing the evolution of these threats and the current state of mobile security. This new data indicates that mobile risks multiply during peak travel season.
Key Stats from Zimperium’s 2025 Mobile Threat Report
The Zimperium report contains many statistics that organizations should take into consideration concerning mobile security in 2025. Over five million unsecured public Wi-Fi networks have been created globally since the beginning of the year, and one in three users connects to these networks. One in four devices is unable to be updated to the most recent OS, which creates lasting exposure via known vulnerabilities. 60% of Android apps in enterprise environments use basic security tools, while 60% of iOS apps lack basic code protection. Almost 25% of enterprise devices have sideloaded apps—those that are downloaded to a device outside of the official app stores.
Expert analysis of the report highlights the pressing need to take its findings as a call to improve mobile security. “Zimperium’s findings highlight a concerning reality: many enterprise mobile apps still lack basic protections such as code obfuscation, secure storage, and updated third-party libraries,” according to Vishrut Iyengar, Senior Solutions Manager at Black Duck, a Burlington, Massachusetts-based provider of application security solutions. “These weaknesses remain exploitable even in managed enterprise environments. Security teams should no longer treat mobile as an isolated or secondary concern.”
Four Mobile Threats Preying on Travelers
The report outlines the four major mobile threats that are most pressing for travelling employees during peak season.
- Man-in-the-Middle Attacks via Public Wi-Fi
Travelers frequently connect to public Wi-Fi in hotels, airports, and conference venues, networks that attackers can easily spoof. Threat actors often use rogue hotspots in high-traffic locations for credential theft, malware injection, or data interception. - Phishing Disguised as Travel Alerts
Attackers launch mobile phishing (mishing) and PDF phishing attacks mimicking common travel-related notifications, such as flight updates and hotel bookings. Traveling creates situational behavioral vulnerabilities, as users are often in a rush, distracted, and predisposed to trust travel updates. - Sideloaded and Risky App Downloads
Travel offers a number of opportunities for users to download new apps, such as tools for communication, transportation, and entertainment. Many of these apps are sideloaded, meaning they are not held to the official app store’s security standards, and may contain malicious payloads. - Captive Portals as Data Collection Traps
Public Wi-Fi networks often force users through captive portals to log in using information like email addresses or phone numbers, which are often reused in enterprise environments. Attackers can sometimes spoof or compromise these portals to harvest credentials for future phishing or account takeover attacks.
The Enterprise Risk Multiplier
Mobile risks are exacerbated by several trends in enterprise environments, especially given the constant advancement of cybercriminal technology. The rise of remote and hybrid working situations and bring-your-own-device setups in recent years has undermined legacy perimeter-based security tools. This increasing use of mobile and remote devices leads to vastly spread-out attack surfaces and inconsistent policy enforcement.
In spite of its growing importance in enterprise environments, mobile security can be a major blind spot for CISOs, often falling to the wayside in favor of more traditional network and endpoint security. The prioritization of these traditional tools fails to adequately account for the organization’s entire attack surface. The continued use of legacy devices and patching paralysis keeps devices and systems vulnerable to known issues and inadequately secured against threats.
Recommendations for Enterprises
Enterprises looking to protect against the multitude of mobile threats present during peak travel season are encouraged to follow mobile security best practices. It is important to enforce zero-trust principles for mobile endpoints, block sideloading, and ensure secure app vetting policies. Organizations should also mandate that employees use VPNs when connecting to public Wi-Fi networks, regularly audit mobile app code for signs of tampering, and educate employees on the dangers of mishing and PDF phishing.
It is crucial for organizations to approach the issue of mobile security proactively and implement modern, advanced tools for protection. “Today’s technology enables organizations to isolate and protect work from any personal use on the same computer, even if the network or device is compromised,” says David Matalon, CEO at Venn, a New York City-based provider of BYOD security technology. “It’s time to stop asking ‘if’ work data and apps will be exposed on a personal device, and start planning for ‘when’ it happens.”
The Mobile Edge Is Now the Frontline
This season is a time of particular risk as the convergence of increased travel, user distraction, and lax mobile protections creates an environment ripe for exploitation. Enterprises must treat mobile threats as core security concerns, not secondary ones, if they wish to protect against some of the most common and harmful attacks in the current threat landscape.
