OnePlus OxygenOS Vulnerability Lets Apps Access SMS Data Without User Permission
A newly disclosed flaw in OnePlus OxygenOS lets any app on a device read SMS and MMS messages without asking the user.
Tracked as CVE-2025-10184, the issue stems from a permission bypass in the Telephony content provider (com.android.providers.telephony).
Normally, apps must hold the Android READ_SMS permission and prompt the user before accessing text messages.
In affected OxygenOS builds, however, core internal providers grant open access by default. This means apps can quietly query message data and metadata with no consent or notification.
CVE Details
CVE-2025-10184 affects multiple OnePlus devices running OxygenOS 12 and 15. Rapid7 researchers confirmed the flaw on OnePlus 8T (OxygenOS 12, build KB2003_11_C.33) and OnePlus 10 Pro 5G (OxygenOS 15, builds NE2213_15.0.0.502 and NE2213_15.0.0.901).
| CVE ID | Vulnerability Description | Affected OxygenOS Versions |
| CVE-2025-10184 | Telephony provider permission bypass allows any app to read SMS/MMS data without consent | 12, 14, 15 |
Three additional content providers PushMessageProvider, PushShopProvider, and ServiceNumberProvider were introduced by OnePlus without proper permission checks.
These providers allow read and write operations by any app. A blind SQL injection vulnerability in the ServiceNumberProvider’s update method lets malicious apps infer and extract SMS content one character at a time, bypassing READ_SMS enforcement.
Text messaging is widely used for one-time codes and personal communication, making this flaw a serious privacy and security risk.
An app could silently steal banking, email, or social media verification codes sent via SMS.
Malicious software could harvest incoming messages in real time, while state-sponsored actors or oppressive regimes might exploit the issue for mass surveillance.
The vulnerability effectively breaks SMS-based multi-factor authentication protections and undermines user trust in text message verification.
Rapid7 published the advisory on September 22, 2025, marking CVE-2025-10184 as not fixed.
Attempts to coordinate through OnePlus’s public bug bounty failed due to restrictive nondisclosure terms.
On September 24, OnePlus acknowledged the report and confirmed an investigation is underway.
No security update schedule has been announced, leaving users exposed until a patch is released.
While awaiting a vendor fix, users should:
- Install only trusted apps: Remove nonessential applications and limit installs to verified sources.
- Switch authentication methods: Replace SMS-based multi-factor authentication with authenticator apps.
- Use encrypted messaging: Favor end-to-end encrypted services instead of standard SMS.
- Opt for push notifications: Where available, switch critical alerts from SMS to in-app notifications.
Security teams and mobile device managers should audit installed apps for unusual SMS access and enforce strict permission policies.
Until OnePlus issues a fix, proactive app hygiene and MFA best practices remain the strongest defenses against unauthorized access to sensitive message data.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Post Comment