With summer in full swing, the world is moving again. Airports are crowded, business trips are back, and employees are logging in from cafés, taxis, and terminals. But as travel picks up, so do the risks, particularly for the mobile devices we carry with us everywhere.
According to Zimperium’s latest research, more than 5 million unsecured public Wi-Fi networks have been discovered globally since January. One-third of users are connecting to them. And attackers are waiting.
“Phones and tablets have become essential productivity tools for a mobile workforce,” Zimperium researchers wrote. “But without the right protections, they can become serious liabilities.”
Mobile Is the New Frontline
Malefactors are constantly honing their tactics. The days of ‘mud-against-the-wall’ malware targeting desktops behind firewalls are long gone. Zimperium’s 2025 Global Mobile Threat Report shows that mobile is often a preferred battlefield, and the stakes are high.
The top threat, as usual, is phishing. Nearly one-third of all mobile threats now stem from it, many using SMS-based “smishing” or deceptive PDFs disguised as travel notifications. A fake boarding pass. A fraudulent hotel confirmation. One tap, and bad actors are in.
Add sideloaded apps into the mix (those installed from outside official app stores) and things get worse.
One in four enterprise devices now carries at least one. Many contain hidden malware or backdoors.
Then there’s the update gap. A quarter of devices can no longer receive the latest OS patches. That means known vulnerabilities stay wide open, ripe for exploitation.
Even legitimate apps are under scrutiny. Some 60% of Android apps in enterprise environments rely on only basic protections. On iOS, the story is equally bleak; 60% lack essential code protections, leaving them exposed to tampering and reverse engineering.
Four Major Risks for Travelers
When employees travel, the risks multiply. Here’s what to watch:
MiTM Attacks: Public Wi-Fi is convenient; but also dangerous. Airports, hotels, and cafés are prime targets. Hackers set up rogue hotspots and intercept traffic. Everything from passwords to emails can be siphoned off in seconds.
Phishing Disguised as Travel Alerts: “Your gate has changed.” “Click here to confirm your hotel.” These messages, often sent via SMS or PDF, trick travelers into giving up credentials or installing malware.
Sideloaded and Risky Apps: A translation tool. A taxi app. A quick game for the flight. Travelers often download apps without thinking, many from unofficial sources. That’s a problem.
Captive Portals That Harvest Data: Many Wi-Fi networks require users to pass through a sign-in page. These portals can request email addresses, phone numbers, even social logins. Spoofed versions can collect data for future phishing or credential stuffing.
Hot Zones: Southeast Asia, Luxembourg, and U.S. Cities
Zimperium’s threat map shows Southeast Asia as a rising hotspot for mobile malware. Vietnam, Malaysia, and the Philippines are seeing sharp increases in attacks. The methods vary (sideloaded apps, phishing links, network exploits) but the result is the same: compromised mobile devices.
Oddly, Luxembourg has also emerged as an outlier. A small country with a dense digital ecosystem and high rates of business travel, it’s become a surprising magnet for mobile attacks.
Back in the U.S., cities like Los Angeles, New York, Portland, Miami, and Seattle are feeling the heat. Peak travel months see spikes in mobile malware as attackers exploit unsecured networks and distracted users.
What Can Businesses Do?
The best defense is visibility. Security teams need to know where devices are, what they’re connecting to, and how they’re behaving. That starts with a mobile threat defense strategy.
Checklist for summer mobile security:
- Ensure all mobile endpoints are visible and managed
- Enforce compliance policies across devices
- Block access to unsecured Wi-Fi
- Educate employees on travel-specific threats
- Deploy a mobile security solution like Zimperium’s
Not ‘If’ But ‘When’
David Matalon, CEO at Venn says these risks go well beyond just mobile. “As more employees work remotely from home offices or while traveling, they’re often using not just personal phones, but personal laptops as well, often over unsecured networks. The traditional perimeter is gone, and the Bring-Your-Own-Device (BYOD) reality for remote workers requires a shift in strategy: from securing the device to securing the work itself.
Matalon says today’s technology enables organizations isolate and protect work from any personal use on the same computer, even if the network or device is compromised. “It’s time to stop asking ‘if’ work data and apps will be exposed on a personal device, and start planning for ‘when’ it happens.”
Test Continually, on Real Devices
As mobile devices increasingly function as both endpoints and development environments, they have become a primary vector for attackers, adds Vishrut Iyengar, Senior Solutions Manager at Black Duck. “Zimperium’s findings highlight a concerning reality: many enterprise mobile apps still lack basic protections such as code obfuscation, secure storage, and updated third-party libraries. These weaknesses remain exploitable even in managed enterprise environments.”
Iyengar says security teams should no longer treat mobile as an isolated or secondary concern. “Mobile applications need to be tested continuously, on real devices, and incorporated into a broader application security strategy. This strategy should cover proprietary code, third-party SDKs, and open-source components to ensure complete risk coverage and application security without compromise.”
Enforce Strict Controls
Mobile devices are a prime target for attackers, particularly when employees connect to unsecured Wi-Fi or download apps from outside official stores, comments J Stephen Kowski, Field CTO at SlashNext.
“Security teams need to keep a close eye on all mobile endpoints and enforce strict controls to block risky connections and apps. Automated, real-time detection that adapts to new threats can stop phishing and malware before they cause damage. This approach helps protect sensitive data without slowing down employees who need to work on the go,” Kowski ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.