Most mobile security incidents do not start with a sophisticated intrusion into a hardened system. They start with a message, an app, or a network connection that looked normal. The entry point is almost always unremarkable, and that’s exactly what makes it effective. Understanding how attacks actually happen is the first step toward building a security architecture that addresses them. Below are the five most common vectors, and what a concrete response to each looks like.

1. Phishing and smishing
The most common entry point into mobile devices, and the one that has seen the most deliberate optimization by attackers: 82% of phishing sites now specifically target mobile devices, according to Zimperium's 2024 Global Mobile Threat Report. The reasons are structural: mobile screens display less context than desktop browsers, full URLs are hidden by default, and users are conditioned to interact quickly. A credential harvesting page that would be obviously suspicious on a desktop is far more convincing on a 6-inch screen under time pressure.
The scale is significant: in 2024, 26% of enterprise iOS devices were targeted with phishing attacks, more than double the rate seen on Android, according to Lookout's Annual Threat Landscape Report. The reason iOS is disproportionately targeted is not that it is less secure, but that it dominates the enterprise, making it the higher-value target.
2. Malicious applications
Apps that appear legitimate but request excessive permissions and exfiltrate data in the background. Lookout detected 427,000 malicious apps on enterprise devices in 2024 alone, the majority classified as trojans, followed by surveillanceware and adware. Many arrive through third-party app stores or are sideloaded onto devices where configuration policies have not been enforced. Without application allowlisting, there is no mechanism to prevent them from running once installed.
The risk is compounded by the fact that many employees install personal apps on work devices, or access corporate resources from personal devices, without any visibility from the security team.
3. Network-based attacks
A device that connects to a corporate VPN at the office may spend the rest of the day on public Wi-Fi, hotel networks, and mobile data connections, each with different security characteristics and each potentially subject to interception or manipulation. The traditional corporate network perimeter provided a meaningful boundary when devices stayed inside it. That condition no longer holds for any organization that operates with mobile devices, remote workers, or cloud-based services. Attackers exploit this by positioning themselves between the device and the network, intercepting traffic, injecting malicious content, or harvesting credentials from unencrypted connections.
4. Zero-click exploits
This is the most severe category, because they require nothing from the target. Tools like Pegasus have been confirmed to compromise fully updated devices without any user interaction, via vulnerabilities in iMessage, HomeKit, and other system components. These attacks have been documented on the devices of diplomats, journalists, lawyers, and government officials across Europe. You cannot train someone to avoid an attack that was never sent to them, and standard endpoint security tools do not detect them at the point of entry. This is not a theoretical risk reserved for high-value targets. Seventy-four governments have contracted commercial spyware since 2011. The targeting has expanded well beyond heads of state.
5. Device misconfiguration
Not every compromise requires a sophisticated attacker or a novel exploit. Devices without encryption, without enforced lock screen policies, without remote wipe capability, or with developer settings enabled are structurally exposed to anyone who gains physical access or connects to the same network. Lookout's research consistently identifies out-of-date operating systems and missing device locks among the most common configurations on enterprise devices, and among the most straightforward to exploit. Misconfiguration is largely a policy enforcement problem. The controls exist. They are simply not applied consistently.
What an effective response looks like
For each of these entry points, there is a specific control that addresses it. Endpoint protection addresses phishing, smishing, and malicious apps before they succeed. Device management enforces configuration policies consistently across the fleet, including encryption, VPN enforcement, application allowlisting, and remote wipe, rather than leaving them as recommendations. A Zero Trust network access approach treats every connection as potentially hostile regardless of location, which is the only posture that makes sense when the perimeter has effectively ceased to exist.
For organizations operating at higher risk levels, including critical infrastructure, government, defence-adjacent functions, and executive leadership, the architecture needs to go further. Hardened operating systems, domain separation between work and personal use, and certified encryption at the communication layer are not optional extras for these environments, they are just the baseline.
NIS2, transposed into Dutch law in October 2024, has brought communication tools explicitly into the audit scope for eighteen critical sectors. Mobile devices are no longer outside the compliance perimeter, and the organizations that treat them as such are carrying both a security risk and a regulatory one.