Market Outlook: 81% Mobile Apps Vulnerable to Cyberattacks

Key takeaways

• 81% of the apps tested had no defense against cyberattacks.
• 84% of apps lacked the ability to detect if malicious code had been injected into their source code.
• Only 15.7% of apps used any kind of repackaging detection.

As more people use mobile apps, cybercriminals continue to develop new ways to exploit app vulnerabilities. Cyberattacks increased by 38% in 2022 compared to the previous year, and the number of new mobile malware variants increased 54% in 2019. The application shielding technology Promon recently tested 357 high-earning Android mobile games for their ability to reverse engineer or manipulate apps. Surprisingly, 81% (289) of the apps had no defense against these attacks and were unable to detect a compromised device.

Defenseless apps

One of the tests in Promon's four-step examination involved "repackaging," a technique used by malicious actors to modify the existing source code of mobile applications. Hackers can use this technique to insert their own code on top of an app's source code and perform additional background tasks that are not related to the app's intended functions.

This allows cybercriminals to steal user login credentials using a technique known as credential stuffing.

Surprisingly, the tests revealed that 84% of apps lacked the ability to detect if their source code had been tainted with malicious code, leaving them vulnerable to a wide range of cyberattacks.

Only 15.7% (56) of apps had any form of repackaging detection in place, making them the exception rather than the rule.

The company also looked into app vulnerabilities related to hooking frameworks, which are used to monitor, modify, and redirect events in a mobile app.


They are used by serious developers and security experts to identify vulnerabilities and malicious activities. They can, however, be used for malicious purposes such as stealing sensitive data.

Only 5–8% of the apps tested could protect themselves from attacks using frameworks.

Finally, only one app could detect the presence of a rooted device, leaving the vast majority vulnerable to a variety of security flaws.

Why developers must address cyberattacks

Cybercrime in the gaming industry can be disastrous for developers and publishers. Consumer trust declines when games fail to provide a safe and secure experience, and developers ultimately make fewer sales and have fewer downloads.

“We were surprised at how many mobile games had a gap in cyber protection. From a technical standpoint, these aren’t complex attacks,” says Benjamin Adolphi, head of security research at Promon.

“These are basic tools and techniques leveraged by cybercriminals every day, and protecting against them should be a priority for developers when building these apps. While attracting millions of players, mobile gaming companies should consider bridging the gap between mobile app protection and ensuring that all gamers enjoy the game. Doing that will not only protect the game experience, but ensure that gaming companies defend their brands and grow their revenue.”

Hooking tools can modify game code and give players an unfair advantage, resulting in revenue loss for developers as players opt out of in-game purchases.

Worse, hooking frameworks can be used to extract sensitive data such as proprietary game code, user data, or cryptographic keys, exposing developers to security risks as well as intellectual property theft. If a game is known to be vulnerable, it risks losing its reputation and player trust, causing long-term financial harm to the developer.