Users have downloaded more than two billion data-stealing Android apps, while large swathes of enterprises are reportedly housing malicious iOS apps, according to security firm Proofpoint.

The firm found some 12,000 malicious apps across 'authorised' Android app stores, with code to steal data, create backdoors, and wreak havoc in other ways.

"Malicious mobile apps are no longer corner cases - they’re real-world threats," researchers wrote in the report (PDF).

"Our analysis of authorised Android app stores discovered more than 12,000 malicious mobile apps - capable of stealing information, creating backdoors, and other functions - accounting for more than 2 billion downloads."

The firm says in its report that a surprising 40 per cent of an undisclosed number of enterprises using Proofpoint's TAP mobile security had Apple devices running malicious apps.

Those apps did not necessarily compromise only jailbroken phones and could use various user-initiated enterprise managing features and side-loading techniques to load on devices.

"About 40 percent of large enterprises sampled by Proofpoint TAP Mobile Defense researchers had malicious apps from DarkSideLoader marketplaces - that is, rogue app stores - on them," researchers wrote, adding that "... users who download apps from rogue marketplaces - and bypass multiple security warnings in the process - are four times more likely to download an app that is malicious."

The statistics are surprising since iOS is generally more secure than Android on account of its restricted application installation controls.

Android version history. Image: Erikrespo.

Google-powered fondleslab-and-smartmobe users can simply flick a switch to allow installation of apps from any source.

While the much-improved Android 6.0 restricts the damage malicious software can create, most users are stuck in an Android 4.4. KitKat time-warp.

The much-popped late-2013 release of Android still runs on 36 percent of devices, just out-pacing version 5.0 a.k.a Lollipop which runs on 34 percent of Androids, the company reckons.

Russian security firm Kaspersky has also emitted statistics on the mobile malware menace. It reports that last year a whopping 94,344 were users hit with mobile ransomware, a five-fold uptick since 2014.

Kaspersky adds that the number of regular mobile banking trojans plummeted from 16,586 in 2014 to 7030, however it notes that super-user malware that gains root access on devices is "extremely popular" among criminals. ®