The frequency of cyber-attacks on customer-facing mobile apps has increased rapidly over the past few years, as AI reduces skill, time and cost barriers for threat actors, according to Digital.ai.

The DevOps specialist collected telemetry from billions of application instances across clients in financial services, healthcare, automotive, telecommunications and other sectors to compile its 2026 Application Security Threat Report, published on May 19.

It claimed that 87% of monitored apps faced attacks in 2026 – up from 55% in 2022. The increase over that time has mirrored the growth in AI model use since ChatGPT launched in November 2022, the firm said.

Financial services (91%), automotive (91%) and medical device apps (86%) were the most frequently targeted – putting personal finances, vehicles and health data potentially at risk.

Read more on mobile device threats: 92% of Mobile Apps Found to Use Insecure Cryptographic Methods.

Digital.ai claimed that agentic AI is now enabling relatively low-skilled threat actors to achieve in just a few hours what may have taken specialist teams weeks in the past, by accelerating code inspection, exploit generation, and malware adaptation.

Android and iOS Neck and Neck

Interestingly, the gap between iOS and Android has closed significantly. In 2023, iOS apps faced around half the volume of attacks as their Android counterparts. In 2026, 86% were attacked, versus 89% of Android apps, with iOS instrumentation attacks surging 10 percentage points annually.

Digital.ai argued that AI-assisted reverse engineering is making it a more popular target for threat actors. A gap that once justified significantly lower security investment in Apple’s platform has now vanished for developers, it claimed.

Apps are being attacked just hours after appearing in their respective online stores, it added.

This is bad news for security teams as the software often lives on employee devices outside their control, Digital.ai said.

The firm’s CEO, Derek Holt, argued that the same AI developers used to create apps is being used to attack them.

“That forces a question every appsec team needs to answer: is the application built to defend itself from the moment it hits the store? Or is it waiting for the security team to notice it is being used as the entry point?” he added.

“The gap between where the attacks are and where the security investment is, is no longer acceptable."