OnePlus OxygenOS Flaw Exposes SMS Data: CVE-2025-10184 Remains Unpatched
A single overlooked permission in OnePlus’s OxygenOS has opened the door for rogue apps to quietly siphon off SMS messages, exposing millions of users to privacy breaches and security risks. The flaw, cataloged as CVE-2025-10184, stems from exported content providers in the Telephony package that lack proper write permissions, allowing any app—malicious or otherwise—to access sensitive SMS data without user consent (Bleeping Computer). This isn’t just a technical hiccup; it’s a real-world vulnerability that can be exploited to bypass multi-factor authentication (MFA) and even reconstruct messages via blind SQL injection attacks (Security Online).
The issue has persisted since OxygenOS 12’s debut in late 2021, and despite being flagged by security researchers, it remains unpatched as of September 2025 (The Register). The situation is further complicated by failed coordinated disclosure efforts, leaving users exposed while highlighting the importance of transparent communication between vendors and the security community (Cyber Daily). As rogue apps continue to proliferate, the risks extend beyond privacy, threatening the very foundations of mobile security and trust (ThreatNG Security).
Understanding the Vulnerability: How Rogue Apps Access Your SMS
Exploitation of OxygenOS Content Providers
The vulnerability in OnePlus phones, identified as CVE-2025-10184, arises from modifications made to the Android-based OxygenOS, specifically the Telephony package. OnePlus introduced additional exported content providers such as PushMessageProvider, PushShopProvider, and ServiceNumberProvider. These providers lack a declared write permission for READ_SMS, making them accessible to any app installed on the device by default. This oversight allows rogue apps to exploit these content providers to access SMS data without requiring explicit user permissions or interactions (Bleeping Computer).
Bypassing Permissions and User Consent
The core issue with CVE-2025-10184 is its ability to bypass standard Android permission protocols. Typically, apps require explicit permissions to access sensitive data like SMS messages. However, due to the vulnerability, any app can read SMS and MMS data without needing the READ_SMS permission. This bypass not only compromises user privacy but also undermines the trust in app permissions, as users are not notified about the unauthorized access (Security Online).
Blind SQL Injection Risks
An additional layer of risk is introduced through the potential for blind SQL injection attacks. The lack of input sanitization in the affected content providers allows malicious apps to perform SQL injection attacks. This technique can be used to reconstruct SMS content from the device database, character by character, further exacerbating the privacy breach. Such attacks can be executed silently, without any user interaction, making them particularly insidious (Bleeping Computer).
Historical Context and Persistent Vulnerability
The vulnerability has been present since the release of OxygenOS 12 on December 7, 2021, and affects multiple versions of the operating system. Despite being disclosed by Rapid7, the flaw remains unpatched as of September 23, 2025. This prolonged exposure highlights a significant lapse in OnePlus’s security response and patch management processes. The issue does not affect OxygenOS 11, indicating that the vulnerability was introduced with subsequent updates (The Register).
Implications for Multi-Factor Authentication (MFA)
The ability of rogue apps to access SMS data has severe implications for multi-factor authentication (MFA) systems that rely on SMS-based verification codes. By intercepting these codes, malicious apps can effectively bypass MFA protections, posing a significant threat to user accounts and sensitive information. This vulnerability underscores the need for more secure authentication methods beyond SMS-based systems (Security Online).
Challenges in Coordinated Disclosure
Efforts to address the vulnerability have been hampered by challenges in coordinated disclosure. Rapid7’s attempts to engage with OnePlus through their bug bounty program were unsuccessful due to restrictive non-disclosure agreement (NDA) terms. As a result, the vulnerability was publicly disclosed without a fix in place, leaving users exposed to potential exploitation. This situation highlights the importance of transparent and effective communication channels between security researchers and vendors (Cyber Daily).
The Role of Rogue Mobile Apps
Rogue mobile apps play a critical role in exploiting the OnePlus vulnerability. These apps, often distributed through unofficial channels or masquerading as legitimate applications, are designed with malicious intent. They can infiltrate devices and perform unauthorized actions, such as accessing SMS data, without the user’s knowledge. The presence of rogue apps in both authorized and unauthorized app stores poses a significant threat to user security and privacy (ThreatNG Security).
Mitigation Strategies and Best Practices
While the vulnerability remains unpatched, users can adopt several mitigation strategies to protect their devices from rogue apps. These include:
- App Vetting: Only download apps from trusted sources, such as the official Google Play Store, and verify the app’s permissions before installation.
- Security Software: Install reputable mobile security software to detect and block malicious apps.
- Regular Updates: Keep the device’s operating system and apps updated to benefit from the latest security patches and improvements.
- Alternative Authentication: Use authentication methods that do not rely on SMS, such as app-based or hardware token-based MFA solutions.
These best practices can help mitigate the risks associated with the OnePlus vulnerability and enhance overall device security (Arkose Labs).
Future Implications and Vendor Responsibility
The ongoing exposure of OnePlus users to the CVE-2025-10184 vulnerability raises important questions about vendor responsibility and the need for robust security practices. As mobile devices become increasingly integral to daily life, manufacturers must prioritize security and respond swiftly to vulnerabilities. The OnePlus case serves as a cautionary tale for the industry, emphasizing the importance of proactive security measures and timely patch management to protect users from emerging threats.
Final Thoughts
The OnePlus SMS vulnerability is a stark reminder that even a single misconfigured permission can have sweeping consequences for user privacy and security. With the flaw still unpatched, users must take proactive steps—like sticking to trusted app stores, using robust security software, and opting for non-SMS-based authentication—to reduce their risk (Arkose Labs).
This incident also underscores the urgent need for device manufacturers to prioritize rapid, transparent responses to security disclosures. As mobile devices become more central to our digital lives, the stakes for timely patching and responsible vendor behavior have never been higher. The OnePlus case should serve as a wake-up call for the industry: security can’t be an afterthought, and user trust depends on it (The Register).
References
- Unpatched flaw in OnePlus phones lets rogue apps read text messages. (2025). Bleeping Computer. https://www.bleepingcomputer.com/news/security/unpatched-flaw-in-oneplus-phones-lets-rogue-apps-text-messages/
- CVE-2025-10184: Unpatched OnePlus flaw exposes SMS data, breaks MFA, no patch. (2025). Security Online. https://securityonline.info/cve-2025-10184-unpatched-oneplus-flaw-exposes-sms-data-breaks-mfa-no-patch/
- Rapid7: OnePlus Android bug exposes SMS data. (2025). The Register. https://www.theregister.com/2025/09/23/rapid7_oneplus_android_bug/
- Security researchers spot high-impact vulnerability in OxygenOS Android phones. (2025). Cyber Daily. https://www.cyberdaily.au/security/12682-security-researchers-spot-high-impact-vulnerability-in-oxygenos-android-phones
- Rogue Mobile Apps. (2025). ThreatNG Security. https://www.threatngsecurity.com/glossary/rogue-mobile-apps
- What is SMS security? (2025). Arkose Labs. https://www.arkoselabs.com/toll-fraud/what-is-sms-security/