Mobile Security Statistics and Breach Data: US Trends
Mobile devices represent one of the most actively targeted surfaces in enterprise and consumer cybersecurity, generating a dense record of breach incidents, vulnerability disclosures, and regulatory enforcement actions across the United States. This page maps the statistical landscape of mobile security in the US — covering breach frequency, malware prevalence, platform-specific exposure, and the regulatory frameworks that shape incident reporting obligations. Professionals assessing organizational risk, researchers benchmarking threat posture, and procurement teams evaluating mobile endpoint detection and response solutions rely on this data to establish baselines and identify sector-specific patterns.
Definition and scope
Mobile security statistics encompass quantified records of security incidents, vulnerability counts, malware distribution rates, and breach disclosure data specifically attributable to mobile platforms — primarily iOS and Android devices — operating within US networks and regulatory jurisdictions. The scope extends to smartphones, tablets, and connected wearables, but excludes traditional laptop endpoints unless the incident vector was a mobile OS or mobile management layer.
The primary federal frameworks governing breach disclosure are the Health Insurance Portability and Accountability Act (HIPAA), enforced by the US Department of Health and Human Services Office for Civil Rights (HHS OCR), and the Federal Trade Commission Act as applied by the FTC, which addresses unfair or deceptive security practices. State-level breach notification laws — now enacted in all 50 states — supplement federal requirements and introduce additional mobile-specific obligations in jurisdictions such as California under the California Consumer Privacy Act (CCPA), enforced by the California Privacy Protection Agency (CPPA).
The NIST Mobile Threat Catalogue maintained by NIST's National Cybersecurity Center of Excellence (NCCoE) provides the authoritative taxonomy for classifying mobile threats, organizing them across application, network, supply chain, and physical attack categories. Statistical datasets mapped against this taxonomy allow comparisons across incident classes rather than across vendor-defined product categories.
How it works
Mobile security data is aggregated through four primary channels:
-
Mandatory breach disclosures — HIPAA-covered entities must report breaches affecting 500 or more individuals to HHS OCR within 60 days, with smaller breaches reported annually. The HHS OCR Breach Portal ("Wall of Shame") provides a searchable public record. Mobile device loss or theft has historically appeared as a recurrent breach category in this dataset.
-
Vulnerability databases — The NIST National Vulnerability Database (NVD) catalogs disclosed CVEs (Common Vulnerabilities and Exposures) and assigns CVSS severity scores. Filtering NVD by vendor identifiers for Apple iOS and Google Android produces platform-specific annual vulnerability counts. CVE counts for Android have consistently exceeded 1,000 disclosed vulnerabilities in individual calendar years, reflecting both the platform's open ecosystem and the volume of researcher submissions. Detailed breakdowns appear on the Android security vulnerabilities and iOS security vulnerabilities reference pages on this site.
-
Carrier and infrastructure telemetry — The FCC and CISA both publish advisories drawing on network-level data, including SMS-based phishing (smishing) campaign volumes and SIM-swapping incident clusters. CISA's Known Exploited Vulnerabilities (KEV) Catalog flags mobile CVEs under active exploitation.
-
Industry research publications — Verizon's Data Breach Investigations Report (DBIR) and the IBM Cost of a Data Breach Report are the two most widely cited non-governmental sources. IBM's 2023 report placed the average total cost of a data breach at $4.45 million (IBM Cost of a Data Breach Report 2023), though mobile-specific breach costs vary substantially by sector and data classification.
Common scenarios
The mobile device threat landscape breaks down into distinct incident patterns that appear repeatedly in breach disclosures and CVE records:
Lost or stolen unencrypted devices — HHS OCR breach disclosures consistently list physical device loss as a top mobile breach category in healthcare. Devices lacking full-disk encryption expose protected health information (PHI) directly, triggering mandatory reporting under 45 CFR Part 164.
Malicious applications and sideloading — Android's permissive installation model enables third-party app store dangers that iOS's closed distribution largely prevents. Trojans, spyware, and stalkerware on mobile devices are distributed predominantly through sideloaded APK files. Google's Android Security Bulletin, published monthly, catalogs patched vulnerabilities; unpatched consumer devices accumulate exploitable CVEs at rates that vary by manufacturer update cadence.
Smishing and credential harvesting — The FTC received 378,119 reports categorized under imposter scams in 2022 (FTC Consumer Sentinel Network), with SMS phishing serving as a primary delivery channel. Mobile phishing and smishing attacks require no software vulnerability — only user interaction with a fraudulent link.
SIM swapping — The FTC and FBI have both issued formal warnings about SIM swapping attacks. The FBI's Internet Crime Complaint Center (IC3) reported that SIM swapping complaints increased to 1,611 in 2021, with adjusted losses exceeding $68 million (FBI IC3 2021 Annual Report).
Enterprise BYOD exposure — Organizations operating without formal BYOD security policy frameworks face compounded risk from personal devices accessing corporate networks without MDM enrollment, full-disk encryption enforcement, or certificate-based authentication.
Decision boundaries
Interpreting mobile security statistics requires distinguishing between data types that answer different operational questions:
| Data Type | Primary Use | Primary Source |
|---|---|---|
| CVE count by platform | Patch prioritization, platform selection | NIST NVD |
| Breach disclosure records | Regulatory exposure assessment | HHS OCR Breach Portal |
| Incident cost averages | Budget justification, risk modeling | IBM DBIR, Verizon DBIR |
| Complaint volumes | Threat trend identification | FTC Consumer Sentinel, IC3 |
| KEV entries | Immediate remediation triage | CISA KEV Catalog |
A high CVE count on a given platform does not directly equate to higher realized breach risk if patch deployment rates are also high. Android's open ecosystem produces more CVE disclosures than iOS, but fragmented OEM update cadences mean unpatched exposure windows are longer for Android devices outside enterprise mobile device management security programs. iOS devices under enterprise MDM with enforced OS update policies present a materially different risk profile than consumer iOS devices on outdated firmware.
For mobile security compliance purposes, the relevant benchmark is not raw CVE volume but whether the organization has implemented controls mapped to NIST SP 800-124 Rev. 2 ("Guidelines for Managing the Security of Mobile Devices in the Enterprise"), which distinguishes between fully managed, lightly managed, and unmanaged device classifications and assigns corresponding control expectations to each.
Breach cost statistics from IBM and Verizon apply to enterprise-scale incidents; small-to-mid-market organizations should treat those figures as directional rather than predictive, weighting sector-specific HHS OCR disclosures or IC3 complaint data for more relevant calibration.
References
- HHS OCR Breach Portal (HIPAA Breach Notification Rule)
- NIST National Vulnerability Database (NVD)
- NIST Mobile Threat Catalogue — NCCoE
- NIST SP 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise
- CISA Known Exploited Vulnerabilities Catalog
- FTC Consumer Sentinel Network Data Book
- FBI Internet Crime Complaint Center (IC3) Annual Reports
- California Privacy Protection Agency (CPPA)
- IBM Cost of a Data Breach Report 2023
- Verizon Data Breach Investigations Report (DBIR)
- FCC Wireless Network Security Guidance