2

Title says it all. Are there any known instances of exploits/vulnerabilities in the official Gmail app for Android that could allow a malicious email to install unwanted software on the phone when the user opens the email?

In particular:

  • the phone is configured to block installation of apps from third-party sources
  • no attachments are opened or downloaded

Searched for any articles or reports on this topic and couldn't find anything conclusive. What's the risk?

Anders
  • 64,406
  • 24
  • 178
  • 215
user1258361
  • 420
  • 2
  • 12

1 Answers1

4

Are there any known instances of exploits/vulnerabilities in the official Gmail app for Android that could allow a malicious email to install unwanted software on the phone when the user opens the email?

Probably not publicly. Such an exploit would probably be fairly valuable, so either the discoverer would cash in on one of Google's bug bounties, or it's being used in secret. If one were ever publicly revealed, presumably Google would fix it.

In particular: -the phone is configured to block installation of apps from third-party sources -no attachments are opened or downloaded

That will help protect people foolish enough to click a malicious link and then install an app they randomly received in an email. Against a proper exploit, such a setting is almost certainly irrelevant.

What's the risk?

Probably about the same as can be expected from any comparable app published by a major and competent company.

Alexander O'Mara
  • 8,774
  • 6
  • 34
  • 38
  • Forgot to mention in the original question that it only relates to opening an email message - no clicking on anything (links, attachments, other stuff). So the only risk would be any scripts or hidden programs that could be included in the email that run when the email is opened or when the user scrolls up/down in the email. – user1258361 Aug 30 '16 at 16:35