President Donald Trump has been using his personal Android smartphone in the White House, according to The New York Times. Many liberal outlets have expressed concern about Trump continuing to use his personal phone because of the possibility of a security breach.
Wired reported a list of things that should be taken into consideration by President Trump when it comes to using a device that is not secured. Among those risks were phishing attacks or malware. Just clicking on one link, even if it appears to be from a trusted source, could compromise the device.
Malware could take over the phone, allowing the virus to spy on the network the device is connected to, log keystrokes, or even take over the camera and microphone — and that could be extremely bad for the president.
A hacker may even be able to access the phone to use the device’s location feature and track President Trump’s whereabouts.
One good thing is that Trump does not use email, so it’s less likely malware could be delivered to him directly. He would have to click on an unverified link for his device to be infected.
Trump was reportedly issued a locked-down device when he took office, but still uses his old phone on occasion, as tweets sent from Android seemed to confirm.
The headlining concern around Trump using Android is that he’s likely not protected against phishing attacks or malware. All it takes is clicking on one malicious link or opening one untoward attachment—either of which can appear as though it were sent from a trusted source—to compromise the device. From there, the phone could be infected with malware that spies on the network the device is connected to, logs keystrokes, takes over the camera and microphone for surreptitious recording, and more.
The attack may not even be so direct. Many apps request permission to track a phone’s location for legitimate purposes, and a hacker could compromise one of these accounts to determine where the phone, and potentially Trump himself, is at any given time.
Attempts to reach the White House to confirm that Trump is still using his personal Android phone were unsuccessful, and if there’s a silver lining it’s that Trump famously does not use email, which should reduce his digital exposure. But the mere fact of using an open Android device should still cause some serious alarm.
“What we know from looking at public information about disclosure of vulnerabilities and exploits on hardware and software is that Android devices have a very high volume of vulnerabilities. There’s a high level of exploitability of an Android phone,” says Sam Kassoumeh, chief operations officer at the security intelligence firm SecurityScorecard. Especially given the Android phone Trump likely uses.
Google is diligent about Android security, releasing monthly updates that patch known flaws. The problem, though, is that those updates are only available to a handful of devices at first, including those in Google’s own Nexus line.
Android phones have notoriously uneven security because the operating system is open source, allowing manufacturers and third-parties to put modified versions, or “forks,” of Android onto devices before selling them. This often makes it more difficult for phones to receive updates, patches, and full OS upgrades as they come out. As a result, phones that run stock Android can get regular security updates pushed from Google, but millions of devices will only have those improvements available on a delay, if ever. For some context, less than one percent of Android devices currently run the most recent major update, Android 7.0, which Google released late last summer.
Based on some photo analysis, Android Central thinksTrump may use a Samsung Galaxy S3, a model that was first released in 2012. Another report pegged it as a slightly more recent Galaxy S4. Regardless of specifics, any mainstream Android device would be problematic, even with some precautions in place.
“Hopefully the Secret Service is treating his device as already compromised and restricting that phone from having any connections to secret or official government materials, resources, networks, and documents,” says Greg Linares, a security researcher who specializes in threats intelligence and reverse engineering. “Exploitation of Android devices, for the most part, is not as trivial as it was even a few years ago. Attackers would still need to develop a reliable exploit and deliver it to the President. But since it is a non-hardened device, the level of threat is rather high.”