Is it possible to get infected by opening an email in Android Gmail app?


Is it possible to get infected this way?

Yes, it's possible. Is it likely? No.

Actual Answer

Let's take a look at your scenario from the attack surface perspective and also suggest methods to mitigate as much as possible.

First of all its a must to always keep your Android and Apps up to date with the latest version. For example, both Gmail App and the download component of Android have suffered from vulnerability in the past, though for the time of this writing there is no known vulnerability in both as far as I am aware.

The email has been downloaded by the Gmail app in my Android phone (probably including the attachments).

A good attack surface reduction would be to disable the app auto-download feature of attachments. The following article should help.

From reading the email on Gmail's app: same answer. Or it could contain malicious Javascript... although I'm not sure if Gmail's app renders Javascript or only html and css.

Although super paranoid, however, since its roughly possible attack vector, you can use a different app such as Thunderbird and view your emails without HTML rendering. Unless you work at a nuclear facility or part of UN human rights watch etc this is overkill.

From the notification itself: yes, if the email body somehow exploits a vulnerability in Gmail's app or in Android. (Is there such a thing? Is this answer still valid?)

I can't remember an actual exploit/vulnerability taking advantage of the notification mechanism (this would be crazy difficult to exploit properly) but again from attack surface perspective you can disable notifications from the app.

From the Word attachment: I guess again yes if it somehow exploits some vulnerability in the Gmail snippet function.

Similarly to my previous comments, no known exploits was ever found as far as I am aware in gmail preview feature but you can disable the preview feature from settings. This is a good practice to avoid miss clicking malicious links etc.

Assuming the .docx actually was a virus, I guess it would focus on Windows and Word, not in some Android / Gmail vulnerability, right?

Correct, you are probably looking at a typical malware spam campaign.

In this specific case, I've already deleted the email, should I do anything else? Reboot the phone or something?

In this specific case, it seems like you don't need to do anything, its not a targeted attack and its not focused on you or your Android. Though it was fun answering your other questions (: