Some versions of the stock email app in Android are plagued by a vulnerability that can be exploited to cause the application to crash, a researcher revealed on Friday.
According to Hector Marco, a Spain-based security researcher, an attacker can remotely launch a denial-of-service (DoS) attack against a user by sending them a specially crafted email.
“When the victim receives the malicious email, the application crashes while trying to download the email. Any attempt to open again the email application triggers a crash before the user can do anything. The email application can not be used until the offending email is removed,” Marco explained in a blog post.
“Since the application crashes immediately, to remove the malicious email is a little bit tricky. The easiest and straightforward way to remove it is by using other email client (or via web) from the inbox at the email server. Another way is by disabling the internet connexion (Airplane mode) before launching the email reader, and then you can remove the offending email,” he added.
The vulnerability has been described by the researcher as incorrect handling of the Content-Disposition header (CVE-2015-1574). An attacker can exploit the bug by sending an email with a malformed Content-Disposition header to the targeted user. Removing the email from the inbox is only a temporary solution because the attacker can send as many malicious email as he wants, Marco noted.
The vulnerability appears to affect older versions of the email app, which is installed by default on Android devices. The attack has been successfully reproduced on a Samsung Galaxy S4 Mini running version 4.2.2.0200 of the app.
According to the expert, version 4.2.2.0400 and later are not affected. Users can protect themselves against such attacks by updating the application.
Marco has published a proof-of-concept (PoC) exploit which sends a specially crafted email to a targeted user.
It’s unclear if the vulnerability has been reported to Google. However, security expert Graham Cluley reported that the issue might affect only Samsung devices.
*The article has been updated to clarify that the vulnerability exists in the stock Android email app, not the Gmail application as the original article stated.