OnePlus SMS Vulnerability Puts Your Phone at Risk
▼ Summary
– A security vulnerability exposes SMS and MMS data on most OnePlus phones currently in use, with a patch not expected until mid-October.
– Only OnePlus phones running the older OxygenOS 11 or earlier are considered safe from this flaw, while devices on OxygenOS 12, 14, and 15 are vulnerable.
– The flaw, discovered by security firm Rapid7, allows installed apps to access SMS data without requiring permission, user interaction, or consent.
– OnePlus has acknowledged the issue and stated a fix will be rolled out globally via a software update starting in mid-October.
– Rapid7 publicly disclosed the flaw after failing to contact OnePlus privately and ruling out its bug bounty program due to a restrictive NDA.
A newly discovered security vulnerability places the vast majority of OnePlus smartphones at serious risk, potentially exposing sensitive SMS and MMS messages to unauthorized access. This flaw, which affects devices running OxygenOS 12 and newer versions, could allow installed applications to read text message data without requiring any user permission or interaction. Security researchers warn that the issue is deeply embedded in the system, making it a significant threat to user privacy. Only handsets still operating on the older OxygenOS 11, based on Android 11, are considered safe from this particular exploit.
The security firm Rapid7 first identified the vulnerability, linking it to modifications OnePlus made to the Android Telephony service. Their investigation revealed that the flaw enables apps to bypass standard security protocols, gaining access to SMS data silently. While the initial testing was conducted on a OnePlus 8T and a 10 Pro 5G, the nature of the problem suggests it is not limited to specific hardware models. The vulnerability is believed to stem from a core Android component that OnePlus altered, indicating a widespread impact across its recent product lineup.
OnePlus has officially acknowledged the problem, referencing it by its identifier, CVE-2025-10184. In a statement provided to media outlets, a company spokesperson confirmed that a fix has been developed. However, the rollout of this critical security patch is not scheduled to begin until mid-October, leaving a window of several weeks during which devices remain exposed. The company reiterated its commitment to customer data security but has not provided a reason for the delayed update timeline.
According to Rapid7’s public disclosure, attempts to contact OnePlus through private channels were unsuccessful. The researchers also decided against using the manufacturer’s official bug bounty program due to concerns over its “restrictive Non-Disclosure Agreement.” This led to the decision to make the vulnerability public this week, after OnePlus failed to respond to initial private communications.
For OnePlus users concerned about their security in the interim, experts recommend several precautionary steps. It is strongly advised to install applications exclusively from trusted sources like the Google Play Store and to remove any non-essential apps. Additionally, shifting communication to encrypted messaging platforms such as Signal or WhatsApp can help protect the content of your conversations. Perhaps most critically, users should avoid using SMS for two-factor authentication where possible, opting instead for dedicated authenticator apps which are not vulnerable to this specific flaw.
(Source: The Verge)
