"The working assumption should be that Trump's phone is compromised by at least one — probably multiple — hostile foreign intelligence services and is actively being exploited," Weaver added in his blog.
Some analysts have said that if Trump is merely using the Android device to send out tweets, he might not have created an internal security problem. But even then, it isn't clear that he, or someone else, has set up his Twitter account in secure ways to prevent someone from spoofing his @realDonaldTrump or @POTUS accounts and sending out false statements.
"We don't even know if the tweets are really from him," Gold said in an interview. "It's not an overblown concern, because if someone tweets 'I'm about to attack Russia' on his account, that could cause a war or a financial panic. That's why this is such a major issue. The implications are catastrophic."
The president's official account, @POTUS, already has revealed sensitive information that hackers might be able to exploit.
A hacker who uses the name WauchulaGhost found that @POTUS was secured to a Gmail address that could be guessed as belonging to a Trump aide in charge of social media. WauchulaGhost urged several White House officials in a tweet to change their emails and fix their security settings to stop a hacker from conducting a simple password reset on an account to figure out an email and try to compromise it.
Last year, Hillary Clinton's campaign chairman, John Podesta, was hacked by suspected Russian cyberspies through a spearphishing attack sent to his Gmail address. Later, his emails were stolen and then leaked publicly.
Security experts suggested that Twitter users can prevent exposure of their email addresses over Twitter by going to their account's security settings and clicking, "Require personal information to reset my password," which forces anyone trying to reset the password to enter the correct email address or phone number to continue.
Also, Twitter users can set up an option in security setting and checking "verify login requests," which secures the account with two-factor authentication. The user would then need to enter both a password and one-time code sent to a mobile phone or generated by an authenticator app.
It isn't clear whether Trump's Twitter accounts have any such protections.
"It's troubling to me to not know how well Trump is being protected or how protective he is of his profile or his whole electronic persona," Gold said in an interview.
"Trump's going to do what he is going to do," he added. "This is a man who has said he knows cyber better than anyone. I'm not sure he's an expert. I'm sure people are advising him. I'm sure they are whispering in his ear. The problem is if he's listening."
Sign up for CIO Asia eNewsletters.