10

I just received an email from an unknown person, titled "da vinci" and containing a docx file with the same name. Not suspicious at all, right?

I have not opened or downloaded the file, but:

  • The email has been downloaded by the Gmail app in my Android phone (probably including the attachments).
  • It has been "read" by the app, in order to show me an Android notification about it.
  • Once in the Gmail app, I have opened the email myself (not the .docx). The only text it contained was "Scanned by Avast" and some url. The app also showed me a small snippet preview of the Word document.

Is it possible to get infected this way? My guess: yes, but not very likely.

  • From the notification itself: yes, if the email body somehow exploits a vulnerability in Gmail's app or in Android. (Is there such a thing? Is this answer still valid?)
  • From reading the email on Gmail's app: same answer. Or it could contain malicious Javascript... although I'm not sure if Gmail's app renders Javascript or only html and css.
  • From the Word attachment: I guess again yes, if it somehow exploits some vulnerability in the Gmail snippet function.
  • Assuming the .docx actually was a virus, I guess it would focus on Windows and Word, not in some Android / Gmail vulnerability, right?

In this specific case, I've already deleted the email, should I do anything else? Reboot the phone or something?

AJPerez
  • 203
  • 2
  • 7
  • 2
    Do you have reason to believe you are the target of a state-level actor having access to 0days for Gmail? If not, I would not worry, *iff'* your Android is up-to-date with security patches and your Gmail app is also up-to-date. – Martin Schröder Apr 26 '19 at 08:20
  • No, of course not, I'm nobody :). My only concerns are losing information (ransomware, etc) or the device itself, or somebody accessing my private data or spending money or data quota on my phone. As for the Android updates... weeeell... I'm patched up to 2018-01. Not great, right? – AJPerez Apr 26 '19 at 09:04

2 Answers2

4

TLDR

Is it possible to get infected this way?

Yes, it's possible. Is it likely? No.

Actual Answer

Let's take a look at your scenario from the attack surface perspective and also suggest methods to mitigate as much as possible.

First of all its a must to always keep your Android and Apps up to date with the latest version. For example, both Gmail App and the download component of Android have suffered from vulnerability in the past, though for the time of this writing there is no known vulnerability in both as far as I am aware.

The email has been downloaded by the Gmail app in my Android phone (probably including the attachments).

A good attack surface reduction would be to disable the app auto-download feature of attachments. The following article should help.

From reading the email on Gmail's app: same answer. Or it could contain malicious Javascript... although I'm not sure if Gmail's app renders Javascript or only html and css.

Although super paranoid, however, since its roughly possible attack vector, you can use a different app such as Thunderbird and view your emails without HTML rendering. Unless you work at a nuclear facility or part of UN human rights watch etc this is overkill.

From the notification itself: yes, if the email body somehow exploits a vulnerability in Gmail's app or in Android. (Is there such a thing? Is this answer still valid?)

I can't remember an actual exploit/vulnerability taking advantage of the notification mechanism (this would be crazy difficult to exploit properly) but again from attack surface perspective you can disable notifications from the app.

From the Word attachment: I guess again yes if it somehow exploits some vulnerability in the Gmail snippet function.

Similarly to my previous comments, no known exploits was ever found as far as I am aware in gmail preview feature but you can disable the preview feature from settings. This is a good practice to avoid miss clicking malicious links etc.

Assuming the .docx actually was a virus, I guess it would focus on Windows and Word, not in some Android / Gmail vulnerability, right?

Correct, you are probably looking at a typical malware spam campaign.

In this specific case, I've already deleted the email, should I do anything else? Reboot the phone or something?

In this specific case, it seems like you don't need to do anything, its not a targeted attack and its not focused on you or your Android. Though it was fun answering your other questions (:

GelosSnake
  • 176
  • 4
0

Firstly don't get worry if any key logger would be attached it will stop working if you not rooted android device and if you have any query you can scan it on www.virustotal.com ,upload your docx file and scan it. This will definitely help you. http://www.virustotal.com

Hacking Trickz
  • 1
  • 1