Zscaler’s Spyware Report Reveals a Dangerous New API Threat Vector

All is not well in the world of Mobile and iOT according to the latest Zscaler 2025 Threat Report. 

The changing focus of this annual report reflects the rapid evolution and recognition of mobile risk. Last year the report included mobile alongside iOT for the first time, and the latest report is even more mobile focused. As the report says: Mobile devices now dominate global connectivity, while IoT and OT systems keep manufacturing, healthcare, transportation, and smart cities running”. The report highlights that mobile is now the primary attack vector for hackers, a “shadow attack surface that is difficult to detect and defend”.

Of course Zscaler have their own angle on the data they observed, and their findings resolve around the need for secure cloud‑delivery of networking and security via segmentation and deploying a “Zero Trust Exchange architecture” which is of course what the company offers. 

They also unfortunately assume a level of device management and control which is impossible to achieve with consumer-facing apps on personal devices. 

We thought it would be worth looking at the data and trends in the report through a different lens: Zscaler focuses on user and device discovery and visibility, least privilege access, and monitoring. But that's just part of the story. Let's look at what the findings tell us about mobile consumer apps and how they access the APIs they use. First, let's review the report. 

The Scale of The Problem

ThreatLabz highlights the growing risk of sophisticated mobile malware to users and financial institutions worldwide, as well as the rapidly expanding use of vulnerable IoT devices as a vehicle for botnet expansion and malware delivery. Here are a few key findings: 

• Android malware transactions jumped 67% in the 2025 period. Fake apps and trojans masquerade as legitimate apps on both official and third-party app stores. When downloaded, they use highly deceptive techniques to capture usernames, passwords, and even hijack  two-factor authentication (2FA).
• Official app stores provide no protection. In 2024, the report identified 200+ apps on Google Play in 2024, and this year, found an astonishing 239 compromised apps with over 42 million downloads. The report in particular calls out the “Tools” category on the Google Play Store as a source of malicious fake apps.
• Mobile threats are increasing in sophistication and targeting specific industries: Finance gets special mention with trojans and fake apps stealing financial data and credentials. Peer-to-peer (P2P) transactions through mobile platforms present another excellent opportunity for exploitation. No industry is immune from the risk however: The energy sector saw attacks up an astonishing 387% year on year. 
• ZScaler saw blocked IoT malware transactions grow 45% year‑on‑year in 2024. Botnet campaigns use vulnerable edge devices such as routers. Many iOT and operational‑technology systems have known vulnerabilities, inadequate password protection, or run end‑of‑life or otherwise exposed OSs. Botnets such as Mirai find and exploit IOT vulnerabilities to gain networkwide control for Distributed Denial of Service (DDoS) attacks on APIs and backend systems. 

The ZScaler Takeaways

Zscaler  focuses on device visibility, zero trust access, segmentation and inspection:

• Zero‑trust connectivity & inspection: As mobile devices, IoT sensors and OT systems increasingly bypass traditional perimeter controls, Zscaler advocates routing traffic through the Zero Trust Exchange so it can inspect, apply policy, and authenticate device/app posture. (This aligns with the report’s call out of the “shadow attack surface” of mobile + IoT/OT). 
• Threat intelligence + malware blocking at scale: The large year‑on‑year increases in malware volume make clear the need for cloud‑scale telemetry, real‑time blocking and global coverage – which Zscaler claims (via their platform) to deliver.
• Device and application posture / segmentation: Given that many attacks exploit unmanaged mobile devices or headless/unpatched OT devices, Zscaler’s emphasis on segmentation (“network of one”, least privilege) is directly relevant. 
• Visibility across distributed endpoints/environments: With mobile, IoT/OT, and remote workplaces converging, Zscaler’s model of cloud‑based inspection (rather than traditional on‑prem firewalls) becomes more compelling.
• Supply‑chain / legacy risk mitigation: The report points to legacy OT systems and malware delivered via trusted apps; Zscaler’s solutions aim to control app‐to‐cloud and device‐to‐cloud traffic, thus limiting risk from such vectors.

Specific Zscaler Recommendations

From the report and related commentary, Zscaler’s core recommended mitigations include:

• Discovering/inventorying all mobile, IoT and OT devices (including unmanaged “shadow” devices) so you have visibility. 
  
  
• Enforcing a Zero Trust architecture: direct secure connectivity from device/app to application (not network), with adaptive access decisions based on device posture, risk telemetry, user context. 
  
  
• Segmenting devices/applications: least‑privilege, isolating “networks of one” especially for agentless or legacy IoT/OT devices to prevent lateral movement. 
  
  
• Maintaining consistent security policies across all devices, users, and applications regardless of location. 
  
  
• Monitoring/inspection of traffic (including encrypted traffic) and anomaly detection; blocking malicious payloads, detecting supply‑chain/legacy vulnerabilities. 
  

But here is the problem: many of the recommendations in the Zscaler ThreatLabz report (like device inventory, microsegmentation, and universal policy enforcement) are aspirational for enterprise IT, but impractical or even impossible in consumer mobile app environments.

These Recommendations are Not Applicable to Customer Facing Apps Running on Personal Devices 

Let's break down the issues with  three recommendations from the report:

• Zscaler says: “Discover and inventory all mobile, IoT and OT devices (including unmanaged ‘shadow’ devices) so you have visibility.”
  • The consumer app reality: You have no control over consumer devices; they're BYOD by default. App publishers can't discover or inventory a user’s phone or tablet beyond what’s provided by app permissions. The concept of a “shadow device” doesn't translate meaningfully in the mobile app/API world — instead, what matters is attesting the runtime environment of the app, not managing the physical device.

• • What is actually needed: Use app attestation (like Approov) to verify the authenticity and integrity of each app instance, regardless of the device. You can’t inventory personal phones, but you can verify what’s calling your APIs.

• Zscaler Says: “Segment devices and applications, especially agentless or legacy IoT/OT devices, to prevent lateral movement.”
  • The consumer app reality: There’s no network access or lateral movement risk inside a commercial mobile app on a consumer phone. Consumers don’t enroll in enterprise-level network microsegmentation.

• • What is actually needed: don’t trust the network or device at all. Use zero trust API architecture: validate each request as coming from an attested app, with short-lived cryptographic proofs of integrity. That’s your “network of one.”

• Zscaler’s Recommendation:“Apply consistent security policies across all devices, users, and applications regardless of location.
  • The consumer app reality: You can’t enforce policies uniformly across unmanaged devices. Consumers don’t opt into unified device management; policies must be enforced at the API layer, not the endpoint.

• • What is actually needed: Enforce policies via API gateways or backend services that only respond to valid, attested clients. Let your app carry its own trust signal (e.g., an Approov token), and let the server decide what’s acceptable.

So for consumer mobile apps, in order to enable realistic, enforceable Zero Trust in what is by default a hostile, unmanaged mobile ecosystem, the Zscaler recommendations must be reinterpreted through a lens of:

• Runtime attestation, not device inventory
  
  
• API-level zero trust, not network segmentation
  
  
• Dynamic policy enforcement on the backend, not endpoint conformity

This is what solutions like Approov provide. 

How Approov Fills the Gap

Approov complements and enhances the Zscaler vision by addressing the application layer of mobile clients and APIs: verifying that the mobile app is genuine, securing runtime secrets, and protecting backend APIs from spoofed/compromised clients:

• App Attestation: Approov verifies that the mobile app instance itself is genuine, untampered, running expected code, not hijacked, so you can ensure that only legitimate mobile apps (unmodified, on un‑rooted/jail‑broken devices, with correct runtime environment) can ever access sensitive backend APIs.
  
  
• API Key Management: Zscaler’s model covers connectivity and segmentation; but for mobile apps, a key risk remains: hard‑coded API keys/secrets in apps, stolen credentials, leading to backend/API abuse (a classic mobile‑API threat). Approov addresses this by enabling mobile apps to securely fetch short‑lived tokens/secrets at runtime after attestation, reducing the exposure of static credentials.

• Backend API abuse prevention (by verifying client app identity): The report highlights mobile banking malware, fake apps, credential‑harvesting etc. Zscaler’s network/traffic solution helps, but doesn’t explicitly cover the “client code authenticity” layer. Many mobile/API threats involve automation, fake clients, bots, emulators or modified apps behaving like legitimate ones. Approov helps verify client authenticity and can help backend APIs distinguish legitimate mobile‑app traffic from spoofed/automated traffic.

• Developer‑centric mobile lifecycle controls: Zscaler gives recommendations for enterprise architectures but mobile dev teams and API teams need specific guidance around the app/SDK/API chain — which is where Approov specializes.Since mobile apps involve rapid release cycles, multiple devices/platforms (iOS, Android, HarmonyOS), Approov’s SDK approach helps incorporate the application‑attestation & secrets‑delivery mechanism deep into the mobile dev lifecycle.

Conclusion

The Zscaler report gives strong evidence that the mobile attack surface is growing and evolving. For mobile app/API teams, this means revisiting assumptions about client security and secret management.

The recommendations in the report however focus on enterprise use-cases and do not fully and effectively address the real threat which is apps running on unmanaged personal devices. 

In this blog, I have explained how to fill this gap and apply the Zero Trust principles to manage this threat: Anyone with a mobile app should certainly look to upgrade their runtime‑client security posture, and adopt more resilient API protections.

The report does state that: “Enterprises should not rely on any single cloud company or security provider—akin to putting all your eggs in one basket—but instead adopt a layered approach from multiple independent security organizations.” 

We certainly agree with this recommendation - Approov are experts on mobile app and API security. Contact us to discuss how to implement continuous, effective protection of your apps and APIs, no matter where they are running.