freeRASP protects devices all around the world — safeguarding millions of mobile users from fraud, tampering, and emerging cybersecurity threats every single day. With a presence across continents and industries, our detection network continuously monitors real-world attacks and security anomalies to keep applications safe.

The report summarizes the key findings from Talsec’s continuous monitoring efforts, highlighting the most active threat areas and the techniques used to compromise device integrity and application trust. These insights empower organizations to anticipate risks, adapt defenses, and improve the safety of their mobile ecosystems.

App distribution risks occur when an application is compromised or delivered through insecure or unauthorized channels. Attackers may modify an app’s code, repackage it, or upload it to unofficial stores, exposing users to counterfeit or unsafe versions. Such threats target the integrity of the distribution process and can result in tampered, outdated, or malicious variants reaching unsuspecting users.

Tampering occurs when an attacker deliberately modifies an application after it has been released, altering its behavior or functionality without the developer’s consent. This can include injecting malicious code, removing security protections, or changing features to bypass licensing or monetization controls.

It is one of the most direct threats to app integrity, as only the legitimate developer holds the original signing key. Standard signature checks during installation only verify that the app is signed—they do not confirm that it was signed with the expected developer key. As a result, tampered apps can bypass normal installation validation and reach end users.

An unofficial store incident indicates that the source of an app’s installation is not approved. This typically occurs when an app is installed from a third-party store that hasn’t been authorized. Such installations compromise supply chain integrity and can expose users to high-risk versions of otherwise trusted software.

While third-party stores offer consumers more freedom of choice, they make it harder for businesses to ensure that apps are secure and compliant. Many alternative stores do not follow best practices and allow apps to be uploaded without adhering to Google or Apple policies, or even contain malware. In some cases, your app—potentially modified with hidden malware or removed paywalls—could appear on these stores without your knowledge, allowing users to download it freely.

Runtime attacks target the live execution environment of an application rather than its static code. They exploit weaknesses that appear once the app is running, such as in-memory manipulation, debugging abuse, or dynamic code tampering, to gain control over sensitive operations.

Hooking is when someone injects code into an app while it is running so they can observe or change what the app does. Tools like Frida let attackers read sensitive data, bypass checks, or disable protections such as certificate pinning.

Hooking remains a favored tactic for both testing defenses and active exploitation. There are plenty of scripts online which enables bypassing of various security checks. Hooking is often times detected together with rooting and jailbreaking.

Debugging lets an attacker to inspect an app while it runs, which can expose memory, keys, or internal logic. When debugging features are misused, they give attackers a view into an app's internals. An attacker can read memory, extract keys, or trace code paths to find and reproduce vulnerabilities. Unauthorized debugging is often an early sign of reverse engineering or active compromise attempts.

Screenshotting and screen recording occur when a visual copy of an app is taken while it runs. When abused, these captures can leak private data like bank balances, passwords, authentication codes, or personal messages. Both casual accidental captures and deliberate malicious recordings are threats to user privacy and to application security.

Attackers often combine screenshotting or screen recording with techniques such as hooking or repackaging. They may also publish apps that run hidden background capture. By automating these tools and distributing the apps widely, an attacker can harvest credentials and other sensitive data from many devices at once.
‍

Although these factors may not directly damage the application, they alter the device environment in ways that enable or facilitate potential attacks. Such indicators often act as early warning signs of an impending compromise targeting your application.

Rooting (Android) or jailbreaking (iOS) refers to obtaining privileged system-level access by bypassing the device’s built-in security restrictions. This significantly increases the attack surface, enabling malicious actors to execute arbitrary code, disable critical security controls, or install unauthorized applications.

Threat actors continuously develop and distribute new methods to exploit vulnerabilities that allow privilege escalation. A rooted or jailbroken device represents a security breach as the application can no longer trust the device, its security controls, or even its own execution environment. However, not every rooted or jailbroken sign might be an attacker. Some users perform this to bypass manufacturer-imposed limitations and customize their devices and systems to their wants.

Emulated and simulated environments can be easily modified or controlled, attackers may use them to reverse-engineer applications or to bypass security features. Because emulators often lack hardware backed protections, they make key extraction, scripting, and large scale abuse easier. The usage of emulators is more prevalent in the gaming industry.

Developer Mode gives access to tools and information that help test and debug applications. However, it also reduces the device’s overall security. With developer mode enabled, protections that normally safeguard user data are relaxed, increasing the risk of misuse or attacks. For example, it enables USB debugging, which can sometimes be exploited as a bridge to gain root access.

While developer mode alone is not inherently dangerous (most mobile developers have it enabled) it is a useful signal when combined with other threats such as rooting, app tampering, or debugging. Monitoring developer mode status can help identify higher risk devices or potential compromise attempts.

ADB (Android Debug Bridge) Enabled is a power-user feature activated through the "USB Installation" option in the Developer settings. This state can signal potential security risks, such as apps being installed via USB, the device being connected to a man-in-the-middle (MiTM) proxy, or the device running as an emulator.

When ADB is enabled, it allows extensive access to the device, including pulling and pushing files, issuing shell commands, working with the activity manager (e.g., starting activities, broadcasting intents, modifying hidden Android settings, attaching a profiler to a process, or making an app debuggable), and managing packages.

Virtual Private Network (VPN) is a secure network tunnel that encrypts traffic and routes it through remote servers. It can also mask the origin of requests, hiding the user’s location.

While VPNs are generally considered a positive security practice, there are cases where their use may conflict with regulations or organizational policies. For example, a VPN can obscure online activity from network monitoring systems, which may violate workplace, school, or government rules that require visibility or content filtering. VPNs can also be used to bypass regional restrictions for content distribution, including app stores or video-on-demand services.

Device specifics map the features and properties of devices in context. It is not only important to understand which threats are currently targeting applications, but also useful to gain insight into the devices themselves. This information provides a broader view of the security posture exercised by users.

OS versions serve as useful indicators for two main reasons. First, they provide insight into the age and type of devices in use. Older OS versions often correspond to older or lower-cost devices, although this is not always the case, as some manufacturers continue to provide updates and security patches for older models. Second, OS versions reflect the security posture of devices. Newer OS versions generally offer better protection against known vulnerabilities and may support newer security features and APIs. Attackers are more likely to discover exploits for outdated, unpatched operating system versions using publicly available information.

Mobile services provide manufacturer-specific features such as advertising, location, push notifications, authentication, and mapping. Examples include Google Play Services for most Android devices and Huawei Mobile Services for Huawei devices. Knowing how many users have these services enabled matters because it dictates which SDKs/APIs are dependable at scale, the reliability of critical features (push, maps, location, sign-in), the availability of device-integrity and fraud signals, and the size of the monetizable audience for ads and analytics.

Devices have multiple security features which can tell you about security of device.

Hardware-backed keystore is a feature which allows device to make secure cryptographic operations using dedicated hardware. It provides stronger protection for sensitive keys by isolating them from the main operating system, reducing the risk of extraction and unauthorized access.

Screen Lock is useful indicator of how the user is securing a device. Knowing how many users have a screen lock enabled is important because devices without it are more vulnerable to unauthorized access and data theft.

Biometrics then work in tandem with screen lock, being important as it strengthens device security by providing a more reliable and convenient way to protect user data against unauthorized access.

Runtime Application Self-Protection (RASP) closes the gaps by monitoring and defending the app from within: detecting in-memory manipulation, hooking frameworks, unauthorized signing/repacks, and risky runtime conditions in real time. Deploying RASP reduces the window of exposure, prevents many common bypasses (e.g., Frida-style instrumentation or repackaged binaries), and provides the telemetry needed to prioritise responses where attackers are most active.

RASP protection is especially critical for sectors where trust and data integrity are paramount — such as financial institutions, healthcare, and other regulated industries — where even a single compromise can lead to severe financial loss, privacy violations, and regulatory consequences. In these environments, in-app protection is not just a security enhancement but a compliance and business necessity.

Source of data: anonymized security diagnostics data from thousands of mobile applications integrating the freeRASP SDK.