Receiving spam in Google Drive Mobile app notifications via “mentions”
Specially Affecting: Users on Android Devices
There are 3 billion+ android devices out there in the market and 95% of them have google drive apps pre-downloaded. The users of google drive mobile application are exposed to the potential vulnerability of receiving plethora of unwanted notifications on their mobile phone.
These spam messages appear to be coming from some random and unknown person. In most cases, the notification tries to draw attention of the user towards a “mention” of their name on particular file or document. For example, the notification would say that someone has mentioned you in an important document. In most cases, the spam messages urge the user to click on the notification to lead him/her to a document with a malicious URL.
Here is a sample of how these typical notifications would look like.
Is this a problem?
Yes, though the problem is not a major security threat, but it can be seen as a risk of having naïve users click on malicious links which can lead to phishing attacks.
I received such notificaitons, does that mean that I am hacked already?
No, if you received such notificaitons, then that does not necessarily mean that your device is compromised, nor does it mean that your gmail account is hacked. Breathe!
But ensure that you do not click on such notifications. And even if you you do by mistake, and you happen to see a shared document with some enticing URL — take the clue to abort mission! and not click on them.
Is this a CVE?
Not sure about that, we did not (yet) find any disclosures about it. Since it is not a bug and (almost) a feature to be notified when someone tags you, this most likely will not make it to a CVE (unless exploited somehow). However, Google seem to be aware of the issue and should be fixing this hopefully soon.
What can I do to protect myself from such spams?
Well for now, one recommendation would be to change the notification settings — and turn them off for google drive mentions. You can do this in many ways, depending upon which android version you are running on — often you find these settings above the notification itself.
