Talsec Global Threat Report 2025

In September 2025, mobile app security firm Talsec released its Global Threat Report, a data-driven look at the state of mobile application security drawn from its freeRASP SDK. With telemetry from more than 365 million devices running over 5,000 apps, the report offers one of the most comprehensive snapshots available of how (and where) mobile applications are being attacked in the wild.

The headline finding is simple: while serious incidents are rare in percentage terms, they are significant at scale, and the attack surface looks very different from one region to the next.

A tiered view of the threat landscape

Talsec organizes mobile threats into three severity tiers:

• Critical App Tampering, Debugging, and Hooking

• Major Root/Jailbreak, Unofficial Store installs, and Simulator use

• Warning Screenshotting/Screen Recording, System VPN, Developer Mode, and ADB enabled

Looking across the global map, North America stands out for critical-tier incidents, particularly tampering and hooking. South Asia dominates several "major" and "warning" indicators tied to sideloading and developer-mode usage. Europe leads in screen capture incidents and VPN adoption.

App distribution risks: tampering and unofficial stores

App tampering, where an attacker modifies and re-signs an app after release, is highest in North America at 0.131% of devices, followed by Europe at 0.058%. That may sound tiny, but North America's rate is roughly 26× higher than Latin America's and reflects attackers concentrating effort where the payoff is greatest.

Unofficial store installs tell a different regional story. South Asia leads at 0.456%, more than twice the North American rate and nearly four times Europe's. This tracks with the prevalence of third-party marketplaces and cloning apps in those markets - channels that routinely skip Google and Apple's policy enforcement and sometimes host apps quietly modified with malware or stripped paywalls.

Runtime attacks: hooking, debugging, and screen capture

Runtime attacks target the live app rather than its static code — and they are where attacker sophistication shows.

Hooking (e.g., Frida-style instrumentation used to read memory, bypass checks, or disable certificate pinning) is highest in North America at 0.202%, reflecting a mature pentesting and security-research scene alongside active criminal exploitation. Latin America registers just 0.008%.

Debugging incidents are led by Europe (0.055%) and South Asia (0.052%), with North America and MENA lowest at 0.009%. Talsec attributes Europe's higher rate to its active bug-bounty culture, and North America's lower rate partly to enterprise-managed devices that block debugging.

Screenshotting and screen recording is by far the most common "warning" incident. Europe tops the chart at 3.98%, closely followed by North America (3.78%) and MENA (3.51%). These regions face heavy pressure from banking-focused malware and fraud operations that rely on screen-capture streaming to exfiltrate credentials, balances, and one-time codes.

Device environment risks

Even when an app itself isn't attacked directly, a compromised device sets the stage.

Rooted/jailbroken devices are most common in North America (0.294%), which Talsec links to permissive norms and large modding communities. Latin America sits at just 0.023%, consistent with fraud in that region skewing toward social engineering rather than device compromise.

Simulators/emulators are most prevalent in Asia Pacific (0.034%) and Europe (0.028%), driven largely by game emulation and click-farm automation.

Developer Mode enabled is dramatically skewed toward South Asia at 1.147% (about 382× the North American rate) reflecting broad sideloading culture. ADB enabled follows the same pattern, with South Asia at 0.802% versus North America's 0.004%.

System VPN adoption is highest in Europe (9.32%) and North America (4.96%), with Asia Pacific (3.89%) showing pockets of very high national use tied to censorship workarounds.

Device specifics: OS versions, mobile services, and security posture

The report also surveys the devices themselves:

iOS is highly consolidated around version 18.x globally, with iOS 26 rapidly gaining share — reflecting Apple's centralized update model.

Android is fragmented by region: North America runs the newest versions (strong 16.x and 15.x), while MENA and Asia Pacific still carry meaningful 10.x–12.x populations, increasing exploit exposure.

Google Play Services coverage is effectively universal (>99% in most regions), with Asia Pacific the sole outlier at 93.39% due to mainland China's blocks on Google. Correspondingly, Huawei Mobile Services is strongest in MENA (6.31%) and Asia Pacific (4.14%).

Hardware-backed keystores are essentially universal, so the weak link isn't cryptographic hardware but user posture: screen locks and biometrics. Europe leads in biometric adoption; Asia Pacific trails the pack by roughly 10 points on both locks and biometrics.

The takeaway: RASP is no longer optional

Conclusion is unsurprising, but the data makes the case cleanly: signature checks at install time verify only that an app is signed, not that it was signed by the legitimate developer. Once an app is running on a rooted device, under a hooking framework, or inside a repackaged binary from an unofficial store, the operating system's default protections have already been outflanked.

Runtime Application Self-Protection (RASP) closes that gap by detecting in-memory manipulation, hooking tools, unauthorized repacks, and risky runtime conditions while the app is executing — and by generating the telemetry needed to focus defenses on whichever region or threat class is heating up. For regulated sectors like finance and healthcare, where a single compromise carries severe financial, privacy, and compliance consequences, Talsec argues in-app protection has crossed from "enhancement" to "business necessity."