Security researcher Hector Marco has reveals an interesting attack that can be launched against users of some versions of the Google stock Android email app.Marco discovered that all an attacker has to do is send an email with a specially-crafted header, and they can cause the email Android app to crash.
An attacker can remotely perform an Denial Of Service attack by sending a specially crafted email. No interaction from the user is needed to produce the crash just receive the malicious email.When the victim receives the malicious email, the application crashes while trying to download the email.
Any attempt to open again the email application triggers a crash before the user can do anything. The email application can not be used until the offending email is removed.
Since the application crashes immediately, to remove the malicious email is a little bit tricky. The easiest and straightforward way to remove it is by using other email client from the inbox at the email sever. Another way is by disabling the internet connection before launching the email reader, and then you can remove the offending email.
Note that this is a workaround and does not prevent the attack. The attackers can send as many emails as they want, leaving the folder where the malicious email is present unusable until the email is removed.
The email application affected is the stock email application from Google, which is present on the official versions of Android. Since the vulnerable email version is the one used in a popular mobile, there maybe a large number of affected users.
Actually the App upgradation is not possible in all Android versions. Marco said his current Samsung Galaxy 4 mini was fully updated and is vulnerable to this attack, because no higher versions to 4.2.2.0200 are available for his device.
