# Talsec Global Threat Report 2025 In September 2025, mobile app security firm Talsec released its Global Threat Report, a data-driven look at the state of mobile application security drawn from its freeRASP SDK. With telemetry from more than **365 million** devices running over **5,000 apps**, the report offers one of the most comprehensive snapshots available of how (and where) mobile applications are being attacked in the wild. The headline finding is simple: while serious incidents are rare in percentage terms, they are significant at scale, and the attack surface looks very different from one region to the next.

### A tiered view of the threat landscape Talsec organizes mobile threats into three severity tiers: * **Critical**\ App Tampering, Debugging, and Hooking * **Major**\ Root/Jailbreak, Unofficial Store installs, and Simulator use * **Warning**\ Screenshotting/Screen Recording, System VPN, Developer Mode, and ADB enabled Looking across the global map, North America stands out for critical-tier incidents, particularly tampering and hooking. South Asia dominates several "major" and "warning" indicators tied to sideloading and developer-mode usage. Europe leads in screen capture incidents and VPN adoption. ### App distribution risks: tampering and unofficial stores **App tampering**, where an attacker modifies and re-signs an app after release, is highest in North America at 0.131% of devices, followed by Europe at 0.058%. That may sound tiny, but North America's rate is roughly 26× higher than Latin America's and reflects attackers concentrating effort where the payoff is greatest.

Regional distribution of Tampering incidents

**Unofficial store** installs tell a different regional story. South Asia leads at 0.456%, more than twice the North American rate and nearly four times Europe's. This tracks with the prevalence of third-party marketplaces and cloning apps in those markets - channels that routinely skip Google and Apple's policy enforcement and sometimes host apps quietly modified with malware or stripped paywalls.

Regional distribution of Unofficial Store incidents

### Runtime attacks: hooking, debugging, and screen capture Runtime attacks target the live app rather than its static code — and they are where attacker sophistication shows. **Hooking** (e.g., Frida-style instrumentation used to read memory, bypass checks, or disable certificate pinning) is highest in North America at 0.202%, reflecting a mature pentesting and security-research scene alongside active criminal exploitation. Latin America registers just 0.008%.

Regional distribution of Hooking incidents

**Debugging** incidents are led by Europe (0.055%) and South Asia (0.052%), with North America and MENA lowest at 0.009%. Talsec attributes Europe's higher rate to its active bug-bounty culture, and North America's lower rate partly to enterprise-managed devices that block debugging.

Regional distribution of Debugging incidents

**Screenshotting** and screen recording is by far the most common "warning" incident. Europe tops the chart at 3.98%, closely followed by North America (3.78%) and MENA (3.51%). These regions face heavy pressure from banking-focused malware and fraud operations that rely on screen-capture streaming to exfiltrate credentials, balances, and one-time codes.

Regional distribution of Screenshoting / Screen Recording incidents

### Device environment risks Even when an app itself isn't attacked directly, a compromised device sets the stage. **Rooted/jailbroken** devices are most common in North America (0.294%), which Talsec links to permissive norms and large modding communities. Latin America sits at just 0.023%, consistent with fraud in that region skewing toward social engineering rather than device compromise.

Regional distribution of Root / Jailbreak incidents

**Simulators/emulators** are most prevalent in Asia Pacific (0.034%) and Europe (0.028%), driven largely by game emulation and click-farm automation.

Regional distribution of Simulator incidents

**Developer Mode** enabled is dramatically skewed toward South Asia at 1.147% (about 382× the North American rate) reflecting broad sideloading culture. ADB enabled follows the same pattern, with South Asia at 0.802% versus North America's 0.004%.

Regional distribution of devices with Developer Mode enabled

**System VPN** adoption is highest in Europe (9.32%) and North America (4.96%), with Asia Pacific (3.89%) showing pockets of very high national use tied to censorship workarounds.

Regional distribution of devices with System VPN enabled

### Device specifics: OS versions, mobile services, and security posture The report also surveys the devices themselves: **iOS** is highly consolidated around version 18.x globally, with iOS 26 rapidly gaining share — reflecting Apple's centralized update model.

**Android** is fragmented by region: North America runs the newest versions (strong 16.x and 15.x), while MENA and Asia Pacific still carry meaningful 10.x–12.x populations, increasing exploit exposure.

Regional distribution of Android versions

**Google Play Services** coverage is effectively universal (>99% in most regions), with Asia Pacific the sole outlier at 93.39% due to mainland China's blocks on Google. Correspondingly, Huawei Mobile Services is strongest in MENA (6.31%) and Asia Pacific (4.14%).

Regional distribution of mobile services (Google Play)

Regional distribution of mobile services (Huawei Mobile Services)

**Hardware-backed keystores** are essentially universal, so the weak link isn't cryptographic hardware but user posture: screen locks and biometrics. Europe leads in biometric adoption; Asia Pacific trails the pack by roughly 10 points on both locks and biometrics.

Regional distribution of Hardware-backed Keystore

### The takeaway: RASP is no longer optional Conclusion is unsurprising, but the data makes the case cleanly: signature checks at install time verify only that an app is signed, not that it was signed by the legitimate developer. Once an app is running on a rooted device, under a hooking framework, or inside a repackaged binary from an unofficial store, the operating system's default protections have already been outflanked. **Runtime Application Self-Protection (RASP)** closes that gap by detecting in-memory manipulation, hooking tools, unauthorized repacks, and risky runtime conditions while the app is executing — and by generating the telemetry needed to focus defenses on whichever region or threat class is heating up. For regulated sectors like finance and healthcare, where a single compromise carries severe financial, privacy, and compliance consequences, Talsec argues in-app protection has crossed from "enhancement" to "business necessity." *** {% hint style="info" %} You can find report [**here**](https://www.talsec.app/talsec-global-threat-report-2025). {% endhint %} *** {% hint style="success" %} Handle App Security with a Single Solution! Check Out Talsec's Premium Offer & Plan Comparison!
#### Apps Security Threats Report 2025 #### Plans Comparison #### Premium Products: * [RASP+](https://app.gitbook.com/s/xFHPMAbn16uoDyOtoiaC/product/rasp) - An advanced security SDK that actively shields your app from reverse engineering, tampering, rooting/jailbreaking, and runtime attacks like hooking or debugging. * [AppiCrypt](https://docs.talsec.app/premium-products/product/appicrypt) (Android & iOS) & [AppiCrypt for Web](https://app.gitbook.com/s/xFHPMAbn16uoDyOtoiaC/product/appicryptweb) - A backend defense system that verifies the integrity of the calling app and device to block bots, scripts, and unauthorized clients from accessing your API. * [Malware Detection](https://docs.talsec.app/premium-products/product/malware-detection) - Scans the user's device for known malicious packages, suspicious "clones," and risky permissions to prevent fraud and data theft. * [Dynamic TLS Pinning](https://docs.talsec.app/premium-products/product/app-hardening#about-dynamic-tls-pinning) - Prevents Man-in-the-Middle (MitM) attacks by validating server certificates that can be updated remotely without needing to publish a new app version. * [Secret Vault](https://docs.talsec.app/premium-products/product/app-hardening#about-secret-vault) - A secure storage solution that encrypts and obfuscates sensitive data (like API keys or tokens) to prevent them from being extracted during reverse engineering. {% endhint %}