Unpatched OnePlus Flaw Lets Malicious Apps Send Texts

A newly identified security vulnerability in OnePlus smartphones could allow malicious applications to silently access sensitive text message data. This flaw, present in the company’s OxygenOS software, enables apps to read SMS content and metadata without requesting user permission or displaying any warning. The issue highlights a significant risk for users who rely on their devices for private communication and authentication.

The problem stems from modifications OnePlus made to the standard Android Telephony package. The company introduced additional exported content providers, including PushMessageProvider, PushShopProvider, and ServiceNumberProvider. Crucially, the security configuration for these components is flawed. Their manifest files fail to declare a necessary write permission for ‘READ_SMS,’ effectively leaving a door open by default. This means any application installed on the device, regardless of its permissions, can potentially interact with these providers.

Compounding the issue, the system does not properly sanitize inputs from client applications. This oversight enables a technique known as blind SQL injection. An attacker can use this method to slowly piece together the contents of the SMS database, extracting information one character at a time. As researchers described, by using an algorithm to repeat a specific process, it becomes possible to exfiltrate the entire database by interpreting the return value from an update method as a true or false indicator.

For this exploitation to be successful, several conditions must be met. The exposed database table needs to contain at least one existing row. The provider must also allow an insert function, enabling an attacker to create a dummy row if the table is empty. Finally, the target SMS table must reside in the same SQLite database file so that the injected subquery can reference it directly.

This vulnerability, officially tracked as CVE-2025-10184, affects a wide range of devices. It impacts all versions of OxygenOS from 12 through to the latest version, 15, which is built on Android 15. Security researchers confirmed the flaw on models including the OnePlus 8T and 10 Pro, running various software builds. They emphasize that the list of affected devices is likely not exhaustive, as the issue resides in a core Android component modified by OnePlus, suggesting it is not hardware-specific.

The disclosure process revealed communication challenges. Researchers attempted to contact OnePlus multiple times over several months, starting in May. After seven separate attempts yielded no response, the cybersecurity firm opted for public disclosure to inform users of the potential risk. Following the publication of their report, OnePlus acknowledged the disclosure and stated it had launched an investigation. The company has since communicated that a fix has been implemented and will be distributed globally via a software update beginning in mid-October.

In the interim, users are advised to exercise caution. Limiting the number of installed applications and only downloading software from trusted, reputable publishers can reduce the attack surface. More importantly, individuals should consider moving away from SMS-based two-factor authentication (2FA) and instead use dedicated OTP applications like Google Authenticator. For sensitive conversations, it is highly recommended to use end-to-end encrypted messaging platforms, as SMS messages on affected OnePlus devices are not properly isolated from other applications.

(Source: Bleeping Computer)