This week’s issue of #MobSec5 includes:

• What version of Android is the president’s smartphone running?
• Update your i-devices now – iOS 10.2.1 patches 18 vulnerabilities
• Encrypted messaging apps increasingly popular among politicians and their staff

Thanks for reading. Have a great weekend, be good, and stay safe.

The New iOS Update Fixes Big Security Holes, So Get It Now
(WIRED)

“Apple just released an iOS update full of security fixes that you need to jump on.”

Apple lists 18 vulnerabilities patched by the iOS 10.2.1 update released on Monday.

Donald Trump still using personal Android phone despite potential security risks
(The Telegraph)

“Donald Trump is still using his personal mobile phone, despite having been handed a secure device by officials, potentially posing a security threat to the country and its allies.”

Despite a report last week that President Donald Trump had “told a friend that he had given up his phone,” a New York Times article this week states that when the first lady and their son are in New York, Trump had “his old, unsecured Android phone, to the protests of some of his aides — to keep him company.” Based on photos of Trump using a smartphone from October 2015 and February 2016, an analysis by the Android Central website speculates that the president uses a Samsung Galaxy S III (S3). Samsung updated the phone to Android 4.3 in December of 2013. Some models received an update to Android 4.4.2 in early 2014. It’s not yet clear what personal phone the president might use or what he might use it for; but if the president is using an off-the-shelf Samsung Galaxy S3, it probably hasn’t received security updates for close to three years.

Trump aides’ use of encrypted messaging may violate records law
(ZDNet)

“Most of the president’s senior aides are not subject to freedom of information requests until after the president leaves office, but must still retain and archive their work communications for later release.”

A 2015 bulletin issued by the National Archives & Records Administration about managing electronic messages states, “Agencies must capture and manage [chat and text messages] in compliance with Federal records management laws, regulations, and policies.” As the ZDNet article explains, encrypted messaging apps are designed to make this capture difficult, if not impossible. Another interesting quandary that emerges from the increasing use of encrypted messaging apps by politicians is whether it will affect calls for encryption backdoors. If the topic of how increased security can hinder the collection of mobile data interests you, and you plan to attend RSA Conference 2017 – save your seat now for NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection.”

Tinker, Torrentor, Streamer, Spy: VPN privacy alert
(CSIRO blog)

“We have looked at 283 Android VPN apps, investigating a wide range of security and privacy features, and found they’re not as private as they claim.”

New ‘Hummingwhale’ Android Malware Downloaded Millions Of Times
(Information Security Buzz)

“This new variant, called ‘HummingWhale,’ includes new, cutting edge techniques that extend the capabilities of the original Hummingbad malware, and allow it to perform advertisement click fraud more effectively and stealthily than before from infected apps on Google Play.”

Charger Mobile Ransomware Removed from Google Play
(Threatpost)

“The infection path began after downloading the EnergyRescue app which steals the target’s contacts and SMS messages. Next, the app attempts to trick phone owners into granting EnergyRescue admin permissions. ‘If granted, the ransomware locks the device and displays a message demanding payment.’”

Spynote RAT posing as Netflix plus other popular apps
(SC Magazine)

“The trojan is capable of activating the devices microphone, uninstalling antivirus software, copy files to the hacker’s server, recording screen captures, viewing contacts, reading SMS messages, and remotely controlling the device.”

Google Rolls Out Instant Apps Feature For Android
(Tech Times)

“Eight months after Instant Apps was announced, the feature is now open for limited testing, with the first apps to include the feature being those of BuzzFeed, Periscope, Wish, and Viki.”

When Google originally announced Instant Apps, we explained on the NowSecure blog how the feature might be seen by attackers as a new attack vector.

Your Android device’s Pattern Lock can be cracked within five attempts
(Phys.org)

“By covertly videoing the owner drawing their Pattern Lock shape to unlock their device, while enjoying a coffee in a busy café for example, the attacker, who is pretending to play with their phone, can then use software to quickly track the owner’s fingertip movements relative to the position of the device. Within seconds the algorithm produces a small number of candidate patterns to access the Android phone or tablet.”

Apple expected to replace Touch ID with two-step facial, fingerprint bio-recognition tech
(Apple Insider)

“Apple is developing advanced biometric security technologies, including facial recognition and optical fingerprint sensing designs, to replace the vaunted Touch ID module implemented in all iPhones and iPads since the release of iPhone 5s.”

Google I/O 2017 will be held at the Shoreline Amphitheater from May 17-19
(Android Police)

“Earlier today, Google sent developers on a wild scavenger hunt with five puzzles, eventually revealing the location to Google I/O – the Shoreline Amphitheatre in Mountain View, California.”

Four lesser-known Wi-Fi security threats and how to defend against them
(CSO)

“You’ve hardened your network against all the common weaknesses, now we’ll show you how to take your wireless security to the next level.”

Heartbleed Persists on 200,000 Servers, Devices
(Threatpost)

“Almost 200,000 servers are still vulnerable to Heartbleed, the OpenSSL vulnerability patched nearly three years ago.”

P.S. If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.