2021 Mobile Security: Android more vulnerabilities, iOS more zero-days


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Mobile security company Zimperium has released its annual mobile threat report where security trends and discoveries in the year that passed lay the groundwork for predicting what's coming in 2022.

In general, the focus of malicious actors on mobile platforms has increased compared to previous years, mainly due to the push of the global workforce to remote working.

This focus manifested in more significant malware distribution volumes, phishing and smishing attacks, and more efforts to discover and leverage zero-day exploits.

Threats by region​

In 2021, actors focused more on remote workforce or on-premise mobile devices, leading to increased malicious network scans and man-in-the-middle (MiTM) attacks. These attacks are aimed at stealing sensitive information that plays a crucial role in more significant attacks against corporate networks.

The most prevalent threats for each region of the world in 2021 were the following:
  • Asia/Pacific – malicious websites, malware, MiTM
  • Africa – malware
  • Europe – malware, malicious local scans, MiTM
  • North America – malware, MiTM
  • South America- malware, malicious local scans

Android vs. iOS​

The mobile operating systems market is dominated by a duopoly of Android and iOS, so inevitably, all comparisons under any spectrum revolve around those two.

Concerning security in 2021, Android appears to be generally more vulnerable than iOS, but the latter tends to have more serious vulnerabilities.

Judging by volume, Android had 574 vulnerabilities discovered in 2021, a notable reduction from the 859 in 2020, while 79% of them were characterized by low attack complexity. This categorization denotes flaws that are easy to exploit.

Of the 574 Android flaws, 135 (23%) had a CVSS score higher than 7.2, while 18 were rated as critical.

On iOS, security researchers found 357 new vulnerabilities in the year that passed, but only 24% of them are considered low complexity bugs.

Moreover, only 63 (17%) have a CVSS severity rating higher than 7.2, but 45 of the flaws are critical, which means leveraging them may result in significant compromise to a device.

This makes iOS a more challenging but lucrative target because the flaws are difficult to put into action, but the payoff is greater.

This hypothesis is confirmed by the zero-day stats for 2021, with iOS vulnerabilities accounting for 64% of all 17 exploited zero-day attacks targeting mobile devices in 2021.