How AI Models Like Mythos Are Changing Mobile AppSec Risk

A Q&A with NowSecure Cofounder Andrew Hoog

TL;DR:

• AI models like Mythos accelerate vulnerability discovery and exploitation, shrinking defender response windows.
• Attackers gain speed and scale; traditional AppSec processes struggle to keep up.
• Mobile apps present prime targets due to public binaries, reverse engineering ease and heavy SDK usage.
• A single SDK flaw can cascade across thousands of apps and millions of users.
• Teams must shift to continuous testing, faster remediation and exploitability validation to keep pace.

What this shift means for your AppSec program

AI is compressing the time between vulnerability discovery and exploitation thanks to frontier models. Anthropic’s Claude Mythos, designed to reason about code, identify vulnerabilities and simulate attack paths, recently demonstrated it could autonomously discover and exploit vulnerabilities and execute multi-step cyberattacks in a UK government evaluation. These tasks traditionally required skilled human teams and significant time.

For CISOs and AppSec leaders, the question isn’t what one model can do today. It’s whether your program can keep pace as these capabilities scale.

AI compresses the time between vulnerability discovery and exploitation, creating real consequences for mobile application security teams.

We spoke with NowSecure Cofounder Andrew Hoog about what this shift means for mobile and why it may be one of the most exposed attack surfaces.

Is Mythos hype or a real risk for mobile AppSec teams?

There’s definitely hype, but there’s also enough real signal that you can’t ignore it. This is already reaching the board level. When executives start asking about something they’ve read in major publications, it becomes a preparedness issue.

The risk isn’t whether Mythos is perfect today. The risk is that these capabilities are improving faster than most AppSec programs are designed to adapt.

What changed with AI models like Mythos and why it matters for AppSec

The key shift is in code reasoning.

These models can:

• Analyze entire codebases in context
• Trace execution paths
• Identify potential vulnerabilities across components

That’s not new, but the scale and speed are fundamentally different.

For AppSec teams, this changes the baseline:

Vulnerability discovery is no longer limited by human time or expertise.

This is especially relevant for mobile apps, where compiled binaries and runtime behavior create visibility gaps that traditional tools struggle to address. Mobile apps are distributed as downloadable binaries, making the entire codebase accessible for reverse engineering. This creates an ideal scenario for AI models to ingest, analyze code and surface vulnerabilities at scale, as explored further below.

Are AI-discovered vulnerabilities real in production systems?

There’s empirical evidence that these models are identifying real vulnerabilities. They’ve already surfaced issues in widely used systems, including vulnerabilities that have existed for years or even decades. 

That raises an uncomfortable but important question: What vulnerabilities are currently sitting in your mobile apps that haven’t been found yet?

This aligns with what mobile application security testing has shown for years. Many vulnerabilities never become CVEs and remain in production.

AI is collapsing the time between vulnerability discovery and exploitation — and most AppSec programs aren’t built for that pace.

How AI is accelerating vulnerability discovery and exploitation

It compresses time and removes friction.

Historically, AppSec relied on a buffer:

• Time to discover vulnerabilities
• Time to analyze them
• Time to remediate

That buffer is shrinking quickly.

The UK evaluation demonstrated that models can:

• Discover vulnerabilities
• Chain multiple steps together
• Execute complex attack paths

For attackers, AI becomes a force multiplier. For defenders, it becomes a race against time.

Why mobile apps are especially exposed to AI-driven attacks

Mobile sits at the intersection of accessibility, scale and value.

• Accessible: Apps are public, downloadable and easy to reverse engineer
• Analyzable: Small, self-contained binaries that are ideal for AI models
• Scalable: A single flaw, especially in a third-party SDK, can impact millions of users
• High-value: Identity, credentials, location and behavioral data
• Unprotected: Devices operate outside traditional enterprise controls

For attackers using AI, mobile offers high impact with relatively low effort. In many ways, mobile acts as a pathfinder — an environment where attackers can quickly test, refine and scale AI-driven attack techniques before applying them more broadly.

How AI changes mobile app vulnerability exploitation

The biggest shift is speed.

Attackers can now:

• Diff new and previous app versions
• Identify exactly what changed
• Isolate the vulnerability
• Move toward exploitation quickly

What used to take highly skilled researchers days or weeks can increasingly be automated.

In practice, this can look like an attacker downloading a mobile app from the public store, reverse engineering the binary, identifying a change in authentication or token handling in a recent release and using that insight to access backend APIs or impersonate users.

This creates a critical gap: Attackers may understand and weaponize your patch faster than users adopt it.

NowSecure Platform Demo

Get a Demo

How third-party SDKs amplify mobile app security risk

This is where AI amplifies scale.

Mobile apps rely heavily on third-party SDKs:

• Code teams didn’t write
• Code that may not be fully analyzed
• Code reused across many applications

If a vulnerability is found in one SDK:

• It can propagate across hundreds or thousands of apps
• The blast radius can reach billions of installs

This turns AI-driven discovery into a software supply-chain multiplier, especially in industries like finance, retail and healthcare where the same SDKs are reused across high-value apps.

Where traditional AppSec programs miss mobile risk

Most AppSec programs were built for a slower, more predictable threat model.

Common gaps include:

• Periodic testing instead of continuous analysis
• Manual bottlenecks in triage and validation
• Limited visibility into third-party code
• Delayed confirmation of exploitability

Just as important, traditional AppSec tools focus heavily on source code and web applications. Mobile risk often lives in compiled binaries, runtime behavior and device interactions — areas those tools don’t fully analyze.

Mythos doesn’t create these gaps—it exposes them.

Why dynamic analysis is critical for mobile app security

It becomes critical. Static analysis can identify potential issues but dynamic mobile analysis determines:

• Whether the vulnerability is reachable
• Whether it can be exploited
• How it behaves in real conditions

If AppSec leaders aren’t validating exploitability, attackers will.

How AI is shrinking patch timelines for mobile apps

This is one of the biggest strategic implications.

If vulnerabilities can be:

• Found faster
• Understood faster
• Exploited faster

Then traditional timelines may no longer hold.

Monthly or even weekly patch cycles may introduce unnecessary exposure.

In mobile environments, where users don’t immediately update apps, this can directly translate into account takeover, fraud and large-scale exposure of customer data.

AppSec leaders need to rethink:

• Time-to-remediation
• Patch prioritization
• Acceptable exposure windows

What AppSec leaders should do to respond to AI-driven risk

Start with fundamentals, reprioritize and plan for acceleration.

Immediate priorities:

• Enforce MFA
• Maintain asset visibility
• Ensure patch discipline
• Strengthen defense in depth

Strategic shift:

• Move toward continuous testing
• Reduce time to detection and response
• Increase automation in validation and analysis

In mobile pipelines, security testing often happens before release but attackers analyze the released binary. That gap between pre-release testing and post-release exposure is where these AI-driven attacks can move fastest.

If attackers scale with AI, defenders need to scale as well.

Why mobile app security is different from traditional AppSec

Most of the Mythos coverage has focused on network infrastructure and enterprise software. The mobile angle has been largely absent, and that’s where we spend every day.

Years of mobile app testing across industries has shown us something consistent: mobile vulnerability risk is systematically underestimated. Many vulnerabilities never become CVEs. Many never get patched. They sit in production, in apps used by millions of people, invisible to the tools most security teams rely on.

That’s what makes this moment significant for mobile specifically. Apps are public, downloadable and easy to reverse engineer, a single binary that’s the perfect input for a model built to reason about code. If an attacker finds a vulnerability in one SDK, it can propagate across hundreds of apps and millions of installs. Mobile isn’t an afterthought. It’s where attackers will get their fastest wins.

The Clock Is Already Running

When a new app version drops, attackers may develop a working exploit within the hour. Is your security program built for that? Talk to NowSecure.