Mobile devices have long been an integral part of modern corporate IT (and chances are hardly anyone in your office shows up without a smartphone anymore). They contain confidential emails, access to cloud services, VPN profiles, and often personal data of customers or employees. This is a sensitive mix, as it makes mobile devices attractive targets for attackers. Malware such as Trojans, specialized banking malware, targeted spyware apps, or tampered corporate apps often catch organizations unprepared (it happens more often than many assume). Many of these attacks go undetected for a long time because they operate in the background and are usually not reliably detected by traditional security solutions—quietly, but with noticeable consequences.
For IT security managers, compliance teams, and internal or external legal counsel, this is therefore about more than pure prevention. The focus is on the clean and legally sound investigation of security incidents. Who had access to which data, and when? Are there indications that the device was compromised, perhaps over weeks or months? Short questions, major impact. This often determines whether findings are robust enough to be used with supervisory authorities or in court (and that is often the critical point).
This article shows which types of malware are currently relevant on mobile devices. It also explains why Trojans and spyware apps in particular pose a high risk for companies and how professional mobile forensics helps with investigations. It offers a practical perspective, complemented by insights into the current threat landscape in Germany, and shows how companies can proceed in a structured and GDPR-compliant manner.
Why mobile malware is a growing risk for companies
The mobile threat landscape has intensified significantly in recent years. Current studies from 2025 show a clear increase in Android malware, especially spyware apps and banking Trojans. While classic viruses are often discovered and removed quickly, modern malware operates far more selectively. It remains inconspicuous for a long time, bypasses common checks, and collects data in the background. Messages are read, calls or other communication content are recorded—usually without immediately visible signs. In corporate environments, this is, in my view, one of the biggest problems.
Equally relevant is where these attacks take place. Mobile devices are often used outside traditional corporate networks. Working from home, business travel, and flexible work models are now the norm. Add to that private devices used for work and constantly changing Wi‑Fi environments, such as in hotels or train stations. This significantly increases the attack surface. Often, a single compromised smartphone is enough to extract credentials or attack additional systems—and it initially goes unnoticed.
Another factor is securing the mobile operating systems themselves. Technical complexity and rapid update cycles create an inconsistent security level. Delayed updates noticeably increase risk. The same applies to rooted devices, older Android versions, or special configurations without support. Industry analyses show that many companies still use devices that no longer receive current security patches. Known vulnerabilities therefore remain open.
The first half of 2025 saw a surge in Android malware attacks compared to 2024. There are different attack vectors, and sideloading apps from outside app stores is one of them.
This development is also relevant for companies because many infections do not occur via obviously malicious apps. Instead, seemingly legitimate applications are used, such as tampered business tools or fake delivery-service apps. Alleged system or security updates are also often used as camouflage and appear credible to users. Without forensic analysis, it often remains unclear when and how an infection began—with very concrete consequences.
Trojans and spyware apps: the most common malware attack scenarios
On mobile devices, Trojans are among the riskiest forms of malware. They usually masquerade as a seemingly useful app and reveal their true function only after installation—often so discreetly that users do not notice anything for a long time. In companies, banking Trojans and so-called stealers are a particular focus. These malicious programs capture credentials and actively interfere with ongoing processes, for example by altering transfers or intercepting and forwarding one-time codes. All of this usually happens in the background while the device is used normally, which makes early detection significantly more difficult.
Spyware apps operate even more selectively. They read content from ongoing communications, evaluate location data, and often access the microphone or camera on a persistent basis—generally without any visible indications for the affected person. In internal investigations, such applications often appear in the context of industrial espionage, but also in cases of suspected disclosure of trade secrets or escalating employment-law disputes. In my experience, they are often underestimated because their technical camouflage is well implemented and does not trigger clear warning signs.
Initial access often occurs via apps outside official app stores that supposedly offer useful additional features. It seems harmless, but rarely is. The applications request extensive permissions, abuse accessibility services, set up covert background processes, and continuously send sensitive data to external servers. For companies, this often results in GDPR risks, reputational damage, and time-consuming internal reviews.
Increasingly, attacks also start via phishing messages sent by SMS or common messengers. Often, a single click on a manipulated link is enough to download additional malware. However, these messages often look like normal work communication and are therefore not immediately recognized as a threat.
This is where professional mobile forensics becomes relevant. Only an in-depth analysis makes installation times, communication connections, and specific data exfiltration traceable. In many cases, this creates a solid basis for further steps, such as internal measures or legal assessments based on clear technical findings. Further details can also be found in our article on mobile device spyware analyses.
Mobile forensics as the key to preserving evidence
If malware is suspected on a mobile device, swift yet structured action is usually required—often faster than one would like. Time pressure is almost always part of it. Uncoordinated steps such as resetting the device or hastily deleting individual apps, however, often lead to potentially relevant evidence being lost. For legal departments and compliance teams, this quickly becomes a real risk, especially if robust and traceable results are later expected—for example in internal investigations or external audits. Frankly, not a good starting point.
Professional mobile forensics deliberately takes a different approach. It preserves digital traces unchanged, extracts them in a technically sound manner, analyzes them in detail, and documents the results in a traceable way, including clear timelines. In most cases, this provides the necessary clarity. Typical components include, among others:
- forensic images of smartphones and tablets in accordance with recognized standards
- analysis of installed apps as well as often overlooked background processes
- a detailed evaluation of network connections and available log files
- reconstruction of user activities, in some cases over days or weeks
In addition, metadata, system artifacts, and app-specific databases are evaluated fully and systematically—without relying on gut feeling. Modern forensic tools also often make it possible to partially restore deleted information and to specifically reveal hidden malware components, even if they were only active briefly.
Due to the increased activity of mobile ransomware Trojans in Germany, the number of ransomware Trojan installation packages more than doubled, reaching 1,564.
Such figures show how much the importance of reliable digital evidence has increased. In my view, companies must be able to explain to law enforcement authorities, courts, or data protection supervisory authorities what actually happened on a device—and exactly when.
Common mistakes when investigating compromised smartphones
The moment immediately after the first suspicion is often particularly consequential. With good intentions, the IT department intervenes early, removes suspicious apps, resets settings, or restarts the device. However, these steps immediately change the state of the evidence. Especially at this stage, traces in working memory or in log files would often still be present—and those are usually lost. For later forensic analysis, this becomes a real problem in many cases.
It is also common for the incident to be underestimated at first. Mobile malware is still often considered less critical than attacks on servers or traditional workstations, which I consider quite risky. Current investigations show, however, that smartphones are often at the start of larger security incidents and enable early access to emails, messengers, tokens, or internal access.
It is also not uncommon for unsuitable tools to be used or for analyses to be carried out by untrained staff. Without forensic experience, false assumptions quickly arise or relevant traces remain undiscovered—which, unfortunately, happens more often than many expect. It becomes particularly problematic when devices are handed over without a clearly regulated chain of custody and it later becomes unclear who made which changes and when.
Incomplete documentation also weakens the results. If traceable logs for preservation and analysis are missing, the evidential value suffers—for example in internal investigations or employment-law disputes. Experienced forensic service providers therefore rely on fixed procedures and clear responsibilities from the outset. A typical example is the first contact with the device, where preservation, documentation, and legal requirements are addressed at the same time. More on this in the article Mobile Forensics Basics.
Current trends and future challenges
What is particularly striking is how professionally malware on mobile devices has evolved. Spyware apps appear more frequently and usually pursue very specific goals, such as deliberately disrupting forensic analyses—often not a big surprise, but technically far more sophisticated than in the past. This includes encrypted communication channels or time-controlled self-deletion mechanisms that remove evidence after hours or days. At the same time, the focus is shifting increasingly toward cloud forensics. Many mobile apps store data directly in SaaS environments such as Microsoft 365, which often leaves hardly any usable traces locally—and this is not always recognized early.
Another trend is the increased use of artificial intelligence on the attacker side. Malware dynamically adapts its behavior to user behavior in order to remain inconspicuous for longer—arguably an effective approach. I consider the growing focus on mobile device management systems particularly critical: a central access point that controls entire device fleets and is difficult to detect early on.
Germany’s digital economy is under growing threat from ransomware attacks, credential theft, phishing campaigns, and dark web exploitation.
For companies, this means that traditional security concepts are usually no longer sufficient. Mobile devices, cloud services, connected systems, and external platforms are so tightly linked that isolated analyses often fail in audits. In my view, teams must consider mobile endpoints, cloud logs, and MDM systems together—otherwise connections in longer attack chains remain hidden.
From incident to a defensible decision
In a serious incident, the technical side quickly comes into focus. What matters, however, are well-founded decisions—often under noticeable pressure. Was a data leak actually caused by malware, or rather by human error? Are multiple systems affected, or only individual endpoints? Do customers need to be informed, and when should supervisory authorities be involved? At precisely this moment, speculation does not help.
Especially under time pressure, reliable facts matter, because wrong decisions often lead to fines, reputational damage, or legal disputes faster than expected. Mobile forensics provides an objective basis for this. It clearly shows which devices are affected, which data may have been exfiltrated, and when access took place.
Companies that rely early on specialized mobile forensics have a clear advantage in most cases. They gain transparency, reduce liability risks, and respond to incidents in a more structured manner. Providers such as Quintego preserve and analyze digital evidence in a court-admissible and GDPR-compliant way, which pays off especially during audits. Mobile devices should therefore not remain a blind spot, but should be an integral part of a professional forensic strategy with clear responsibilities.