Mobile isn’t just part of the mission anymore. It is the mission. From field operations to executive communication, federal agencies rely on mobile devices every day. But the protections in place still treat these endpoints like second-tier assets. If your current mobile security strategy ends at device management and blocking TikTok, you’re exposed.
The real risk isn’t just rogue apps with flashy headlines—it’s the hundreds of unvetted apps already running on devices that quietly exfiltrate data, undermine system protections, and introduce serious supply chain risk.
High-profile compromise shows how personal mobile data fuels impersonation
In a recent high-profile case, the personal phone of White House Chief of Staff Susie Wiles was reportedly compromised, and her contacts list was used to impersonate her in phone calls and text messages to U.S. lawmakers and officials. This wasn’t a foreign intel op or zero-day exploit—it was the kind of social engineering that becomes possible when basic mobile security gaps go unaddressed.
The real threat isn’t just TikTok — it’s the apps you didn’t notice
Much of the public debate around mobile security has focused on TikTok and, more recently, DeepSeek. But these are just the most visible examples. Harvester apps—those that silently collect data and transmit it abroad—are far more widespread and insidious.
Many of these apps don’t act alone. Instead, they participate in app collusion, where multiple apps—often from the same developer network or using shared SDKs—work together to bypass platform restrictions, correlate user data, and exfiltrate information that would otherwise appear benign in isolation.
This kind of coordinated behavior can evade basic permission audits and pose a serious threat to sensitive environments like federal mobile fleets. Think of it like a tag team:
- One app asks for access to your contacts.
- Another app—on the same phone—sends data to foreign servers.
Individually, they don’t raise alarms.
But together, they bypass security rules and leak sensitive information that no single app could access on its own. This behavior is difficult to detect without deep inspection. And it’s one reason app stores, firewalls, and MDMs rarely catch these threats in time.
What about the apps you didn’t notice?
Quokka’s team has reviewed apps such as VPNs, scanning tools like CamScanner, and messaging clones leaking sensitive metadata, mobile device identifiers, and user behaviors to infrastructure in sanctioned or adversarial countries.
In a recent analysis, we found that DeepSeek contains several domains and IPs resolving directly to servers in China. This wasn’t flagged by the app store. There were no warnings from MDMs or endpoint firewalls.
Quokka’s pre-deployment app vetting flagged the app before it was ever installed on a customer’s device—based on analysis of embedded network destinations, third-party SDKs, and code-level indicators tied to foreign infrastructure.
This level of inspection is essential to catch high-risk apps before they ever reach production environments.
Proactive protection has two parts:
- apps must be vetted before installation
- and then continuously monitored afterward
Even trusted apps can introduce new risks with updates, code changes, or third-party integrations.
Congress challenges federal mobile security standard
The Susie Wiles impersonation incident has intensified scrutiny on federal mobile security, prompting renewed concern from lawmakers. In June 2025, Senator Ron Wyden (D-Ore.) sent a letter to the FBI arguing that current mobile protections for high-value government personnel are outdated and inadequate.
The letter followed a classified FBI briefing to congressional staff, where the Bureau emphasized traditional security practices such as avoiding suspicious links, using strong passwords, and steering clear of public Wi-Fi. Wyden criticized the guidance as too basic given today’s threat landscape—noting that these measures are insufficient against advanced threats like commercial “zero-click” spyware used to surveil senior officials.
Wyden urged the agency to adopt stronger, proactive controls specifically tailored to senior government targets, including:
- Enabling Lockdown Mode (iOS) or Advanced Protection Mode (Android)
- Implementing ad blocking
- Disabling ad tracking IDs
- Opting out of commercial data brokers
FBI Director Kash Patel acknowledged the seriousness of the issue in a public statement, saying, “Safeguarding our administration officials’ ability to securely communicate to accomplish the president’s mission is a top priority.” (Source: Associated Press, June 2025)
These steps are important, but they still don’t address the central threat: what happens when the apps themselves are the attack vector. Malicious or compromised mobile apps can bypass most of these mitigations through built-in permissions or background data collection—especially when they appear benign or are already installed.
The mobile threat landscape has evolved, and congressional oversight is starting to reflect that reality. Security teams need to catch up—quickly.
SignalGate wasn’t an anomaly. It was a symptom.
SignalGate wasn’t just a messaging app issue—it was a visibility failure. According to Chris Gogoel, Vice President and General Manager for Public Sector and APAC at Quokka, a modified Signal app named TeleMessage Signal “TM SGNL”, found to automatically archive encrypted messages in plaintext in a secondary location, has since been suspended after a reported hack.
The news brings into question the confidentiality of messages sent by the users, reportedly that includes former National Security Advisor Mike Waltz. It also begs the question “How did an unofficial app with questionable security practices end up on the phone of one of the highest ranking National Security officials in the US Government?”
Quokka analyzed another app by TeleMessage that provides the same functions for another encrypted messaging app Telegram, “TM TLGRM,” and we found the app (which is still available on the App Store today):
- Contains URLs geo-located in countries sanctioned by the US
- Has core backend services hosted outside the US
- Fails several National Security Agency standard checks for safe encryption and memory usage
- Disables basic security protections provided by the Operating System
Many, but not all, government agencies already pre-vet apps and continuously vet installed apps to catch these high risk vulnerabilities before the apps can cause harm. It is time to make this practice standard in all government agencies.
You can’t secure what you don’t see
If you’re not continuously vetting mobile apps—both before and after installation—you’re operating blind.
Mobile threats extend beyond supply chain risk. They also include malware, trojans, adware, ransomware, hack-tools, dialers, backdoors, and potentially unwanted applications (PUAs). These threats are designed to exploit vulnerabilities in mobile devices, applications, and connected infrastructure—often to gain unauthorized access, bypass controls, extract sensitive data, or send that data to foreign infrastructure in adversarial nations such as China, Iran, or North Korea.
At a minimum, mobile security should include:
- MDM/UEM enforcement
- Lockdown/Advanced Protection Mode
- Mobile App Vetting (MAV)
- Integration with SIEM/SOAR tooling (e.g., Microsoft Defender + Sentinel)
This isn’t about more alerts—it’s about actual visibility into what your apps are doing, where data is going, and whether the app that passed a store check two months ago still meets your standards today.
Current mobile security solutions are reactive or only manage devices. Mobile Threat Defense (MTD), for example, identifies threats after compromise. But mobile apps need to be vetted before they ever hit a device.
That means scanning every app before installation for hidden behaviors, embedded third-party code, and data flows that could introduce supply chain risk. It’s not just about catching malware. It’s about preventing compromise before it starts.
We’re talking about protecting not just devices, but everything they connect to—enterprise and personal data, infrastructure, backend systems. That includes evaluating software vendors, mapping data flow, and running risk assessments based on the actual threat landscape—not just generic phishing protections.
Your next mobile security solution
If your agency isn’t vetting mobile apps before deployment, you’re not securing the device—you’re just managing it. Quokka supports mobile app vetting directly via Q-scout’s enterprise-grade vetting platform.
We’ll show you what’s on your fleet, what’s at risk, and what needs to be removed—before it becomes a headline. Start with visibility. End with control. Let’s get to work.
