How a single email can badly break your Android email app

Note: An earlier version of this article claimed that the problem affected the Gmail app on Android. The problem is, in fact, in the regular email app in Android - and potentially only on Samsung devices. The below article has been corrected to reflect this. Apologies for any confusion.


Security researcher Hector Marco has uncovered an interesting attack that can be launched against users of some versions of the stock Android email app.

Marco discovered that all an attacker has to do is send an email with a specially-crafted header, and they can cause the email Android app to crash.

Email app crash

The vulnerability, dubbed CVE-2015-1574, lies in how some versions of mail for Android parse the Content-Disposition header.

email header bug

It appears that simply sending an email with a malformed Content-Disposition entry in its header can cause the app to crash.

Worse still, reopening the app will just cause it to crash again, because every time the app attempts to download the malicious email it will keep triggering the same fault.

Gmail crash

This is, effectively, a denial of service attack. Albeit one that prevents you from easily accessing your email rather than an attack which clogs up your website and causes it to fall over.

Android email iconFortunately, there is an easy solution. The most obvious is to log into the web version of your email and delete the offending email there. Your Android mail app will no longer attempt to download the email (because it has been zapped) and so won't see any offending email headers that might cause it to trip over itself.

Of course, that's quite a nuisance if someone keeps emailing you malicious emails designed to crash your mail app.

But the permanent solution should be even simpler. If you can, update your email app to version 4.2.2.0400 or higher.

Unfortunately, as Marco explains, that may not be possible for everybody because of the hairy nature of software updates on the Android platform:

Unfortunately this is not possible in all cases. For instance, current Samsung Galaxy 4 mini fully updated (17 Jan 2015) is vulnerable to this attack and not higher versions to 4.2.2.0200 are available after update the system from "Software updates".

Non-official Android ROMs or manually updates are possible but in some cases require root privileges in your device which in most cases causes a loss of warranty of the device.

If you're unable to apply a fix, maybe you would be better off using a different email client entirely to access your email on Android?

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

10 Responses

  1. holds

    February 18, 2015 at 1:29 pm #

    This is only on Samsung devices running android.. Android devices don't have this issue, it is caused by Samsung

    • Jason Shaw in reply to holds.

      February 18, 2015 at 1:39 pm #

      This. Disappointing reporting Graham. And it was even reported wrong twice (Gmail –> Stock Android Mail).

      • Graham Cluley in reply to Jason Shaw.

        February 18, 2015 at 2:14 pm #

        Sorry about the erroneous reporting Jason. I think I was misdirected by a SecurityWeek report (which I initially linked to) which referred throughout to Gmail. They're still saying it's Gmail at the moment, but I accept that that isn't accurate.

        If there are any other errors please feel free to leave a comment or drop me a line (https://www.grahamcluley.com/about-this-site/#complaints)

        I really appreciate having a great community of readers who can provide feedback on issues like this.

      • Coyote in reply to Jason Shaw.

        February 18, 2015 at 2:42 pm #

        I just want to point something out, because this type of thing is something I feel too many forget. I personally make an effort to always show this in myself even going as far as publicly criticising myself, giving a descriptive explanation of the problem in its full glory; yes, some might think it foolish but what would be foolish is not learning from whatever it is. I don't expect others to do this but many do similar albeit maybe not as extreme[1]. So here it is:

        We all make mistakes (yes, you too, absolutely everyone); what matters is fixing them as best as can, when discovered, as he always does. It isn't disappointing on his part nor is it any more disappointing for anyone to make a mistake. It IS disappointing if someone is made aware of a mistake, with evidence and then ignores it (that is, dismisses it or otherwise refuses to fix the problems… yet ironically that is just a mistake, too, no matter how anyone else interprets it). I would also argue that someone who claims what you claim, could be considered disappointing, to some (not to me because I don't know you and besides that I'm as cynical as they come so I don't at all expect [this] in others): accusing someone of a poor job [of something] because of an honest mistake is ignoring ones own mistakes/flaws/etc., whether intentionally or not, no matter the reason.

        Essentially, the only mistake you can make is to take a mistake as a failure and not learn from it (which is equivalent to doing nothing including indeed not correcting what you can).

        [1] Graham did exactly this: publicly admitting a mistake. I know other reporters (in all sorts of topics) do this, too. That is the opposite of disappointing. Coyote is just the extreme in that he enjoys dissecting his (otherwise) mistakes, no matter how stupid they seem (made worse because when instinct already made him realise it is a mistake before making it). But I'm the exception, not the rule. Just how I like it, I might add.

    • Graham Cluley in reply to holds.

      February 18, 2015 at 2:12 pm #

      Thanks for letting me know. I've mentioned that it is apparently only Samsung in the preamble.

      Does anyone know if Samsung or Google has made any response?

  2. Amit

    July 25, 2016 at 10:43 am #

    > They're still saying it's Gmail at the moment, but I accept that that isn't accurate.

    How do you know its not accurate? I'm having a problem with gmail app on android crashing repeatedly when reporting spam on certain messages. (Samsung Note 2, 4.2.2, gmail app v6.6.126913422.release).

    As a side note, in fact the problem escalated rapidly on my phone the first time I faced this problem last week. I tried multiple times to report spam on the same mail with the result that gmail app kept crashing. After some time I began to repeatedly get toast messages saying play store has crashed, google play services has crashed. I tried a zillion things to fix it, but finally had to factory reset for the first time in 3.5 years since buying the phone. I cant think of anything else except the spam mail problem which could lead to the larger problem I had.

    Now, once again for another mail, gmail app crashed twice when reporting spam. I've sent the report to gmail. But I've deleted the offending mail from the web app since I dont want to risk a system wide crash like last time.

    Then I started googling for this issue and chanced upon this page.

    Thanks.

  3. Amit

    July 25, 2016 at 10:49 am #

    Made a error in my previous post. Android version is 4.4.2, not 4.2.2.

  4. Syed

    September 6, 2016 at 5:02 pm #

    Another easy workaround that works for me… Install Inbox (from Google) App… Select the mail and mark it spam there.. and choose between Inbox and Gmail App as you wish or use both (a bit of convenience for me)

    • Samsnug=bloatware in reply to Syed.

      September 11, 2016 at 12:27 pm #

      Neither Inbox nor the old Gmail app will play nicely with the third party email acct that I use most of the time.

      When I try to add the acct, Inbox throws up an incorrect error message about a password/username mismatch

  5. DrM

    May 23, 2017 at 1:28 pm #

    No, it's the app, or gmail in chrome on Android, and opening a message that has encryption or signature crashes it. And it is still there in vers 3

Leave a Reply