Jamf report: Outdated OS, shadow AI raise mobile risk

Jamf’s 2025 mobile security report warns that outdated operating systems, vulnerable apps, and stealthy features such as shadow AI and zero-click spyware are putting corporate data at risk. The findings draw on telemetry from more than 1.7 million iOS and Android devices and an analysis of attacker tactics during 2025. Of 135 popular apps reviewed on December 31, 2025, about 86% had known flaws, while 14% were rated as minimal risk.

The report is a retrospective across 2025 that pairs device-state data from Jamf’s customer deployments with observations of adversary behavior linked to global, national, and industry events. It focuses on how broader business use of mobile devices has expanded the attack surface and increased the impact of software defects and delayed patching.

Jamf notes that modern mobile devices now support many desktop-like functions, including local file storage and powerful business apps with persistent access to company systems. In healthcare, aviation, and retail, employees use phones and tablets for patient data collection, flight preparation, point of sale, and inventory work, making these devices both repositories of sensitive information and potential entry points to enterprise networks.

On device hygiene, 53% of organizations had at least one device running a critically outdated operating system in 2025. The report also found that 18% of organizations had employees connect to risky Wi-Fi hotspots, one in every 850 devices was jailbroken, and 8% of devices registered clicks on phishing scam links. For a company with 100 mobile users, that rate would translate to about eight users encountering a serious phishing risk over the year.

The app review highlights widespread exposure to known vulnerabilities. Some apps carried multiple issues despite being current versions. Jamf also points to a growing concern over shadow AI, where artificial intelligence features are embedded in third-party apps without clear disclosure of what data is collected or how it is used. “I think shadow AI is absolutely a growing risk that needs to be better managed,” noted Michael Covington, Jamf’s vice president of portfolio strategy. He added that organizations are learning how it enters the environment and how common it is, but “I don’t think we’re even at the start of being able to get this fully under control.”

On the threat side, Jamf cataloged active mobile spyware families during 2025, including Predator, Pegasus, Graphite, Dante, Landfall, and Spyrtacus. Coruna and DarkSword emerged in early 2026. Initially developed for surveillance by commercial vendors, these tools have also appeared in criminal campaigns. Zero-click exploits, which require no user interaction, remained a favored technique against high-value targets such as journalists and executives.

The report details several high-severity vulnerabilities affecting iOS and Android. For iOS, CVE-2025-43300 and CVE-2025-24201 each carry the maximum severity score of 10.0 and can trigger memory corruption, potentially enabling code execution by parsing a malicious image or modified data. On Android, CVE-2025-10585 (severity 9.8) can cause memory rewrites and possible code execution, CVE-2025-48543 (8.8) enables local privilege escalation without extra execution rights, and CVE-2024-53104 (7.8) can lead to out-of-bounds writes that corrupt memory or allow data modification for unexpected code execution.

Vendors released patches for these issues throughout the year, but many organizations lagged in deploying updates. Jamf notes that a single compromised device can jeopardize company systems, and a high rate of out-of-date operating systems extends the window of exposure.

Jamf emphasizes the need for stronger visibility and control across mobile fleets, including bring-your-own-device environments. “Security is a moving target,” Covington remarked. “As we learn more about the techniques that the attackers are using, we refine our defenses.” He underscored the value of knowing what devices are in use, how they are configured, and having control points to push software updates, operating system patches, and security fixes on a continuous basis.

The report frames current mobile risk through a look back at 2025 and calls for consistent patching, app oversight, and policy enforcement across both corporate-issued and employee-owned devices.