A report based on an analysis of 200 million devices and 175 million applications between 2021 and 2022 from the cybersecurity firm Lookout returned that many mobile phones used by United States government employees were outdated. The report indicated that as of 10 months after the release of iOS 15, 5% of federal government devices and 30% of state and local government devices were running outdated software. As of 10 months after the release of version 12 for Android, 30% of federal devices and almost 50% of state and local government devices were outdated. Notably, 10.7% of federal employees and 17.7% of state and local government employees were running versions as old as Android 8 and 9. This outdated software leaves government employees vulnerable to thousands of vulnerabilities that could be exploited by a threat actor.
In 2021, approximately 1 out of 11 government employees monitored by Lookout were the recipient of a phishing attack. Of those who clicked on the URL and were made aware of their error, 19% repeated their mistake once and 24% clicked on a phishing email over three times. The primary goals of these phishing attacks have been malware delivery and credential harvesting. While commodity malware usually infects these devices through phishing attacks and fake applications, advanced spyware developers are known to use zero-day vulnerabilities in targeted attacks as well.