Flaw in the Android Gmail app opens to email spoofing attacks

The researchers Yan Zhu, discovered a flaw in the Gmail Android app that allowed her to change her display name in the account settings so that the final recipient will not be able to know the identity of the email sender.

Zhu provided a PoC of her attack by sending an email to someone by changing her display name to yan “”security@google.com,” as it visible in the following image.

“[This] extra quotes [in the display name] triggers a parsing bug in the Gmail app, which causes the real email to be invisible,” Zhu told Motherboard. “It’s always been possible to spoof email envelope addresses, but spoofed emails now usually get caught by spam filters or get displayed with a warning in Gmail, With this bug, a hacker can get around these protections.”

“Filed a Gmail Android bug that lets me fake sender email address. [Google] said it’s not a security issue. ¯\_(ツ)_/¯.” Zhu tweeted.

• Enable antispam feature provided by your email service.
• Analyze the Email message headers and search for the legitimate IP addresses of the sender. Every time you suspect an email spoofing give a look to the header and search for the real source.
• Never Click on a Suspicious Link or open suspicious attachment. Be aware of any unsolicited email.
• Keep your PC’s Antimalware Up-to-Date.

Pierluigi Paganini

(Security Affairs – email spoofing, Gmail)