Note: An earlier version of this article claimed that the problem affected the Gmail app on Android. The problem is, in fact, in the regular email app in Android – and potentially only on Samsung devices. The below article has been corrected to reflect this. Apologies for any confusion.
Security researcher Hector Marco has uncovered an interesting attack that can be launched against users of some versions of the stock Android email app.
Marco discovered that all an attacker has to do is send an email with a specially-crafted header, and they can cause the email Android app to crash.
The vulnerability, dubbed CVE-2015-1574, lies in how some versions of mail for Android parse the Content-Disposition header.
It appears that simply sending an email with a malformed Content-Disposition entry in its header can cause the app to crash.
Worse still, reopening the app will just cause it to crash again, because every time the app attempts to download the malicious email it will keep triggering the same fault.
This is, effectively, a denial of service attack. Albeit one that prevents you from easily accessing your email rather than an attack which clogs up your website and causes it to fall over.
Fortunately, there is an easy solution. The most obvious is to log into the web version of your email and delete the offending email there. Your Android mail app will no longer attempt to download the email (because it has been zapped) and so won’t see any offending email headers that might cause it to trip over itself.
Of course, that’s quite a nuisance if someone keeps emailing you malicious emails designed to crash your mail app.
But the permanent solution should be even simpler. If you can, update your email app to version 4.2.2.0400 or higher.
Unfortunately, as Marco explains, that may not be possible for everybody because of the hairy nature of software updates on the Android platform:
Unfortunately this is not possible in all cases. For instance, current Samsung Galaxy 4 mini fully updated (17 Jan 2015) is vulnerable to this attack and not higher versions to 4.2.2.0200 are available after update the system from “Software updates”.
Non-official Android ROMs or manually updates are possible but in some cases require root privileges in your device which in most cases causes a loss of warranty of the device.
If you’re unable to apply a fix, maybe you would be better off using a different email client entirely to access your email on Android?