CVE-2025-12080, discovered by security researcher Gabriele Digregorio in March 2025 and awarded a bounty by Google’s Mobile Vulnerability Reward Program, allows any installed application to send text messages on behalf of the user without requiring permissions or user confirmation.
The vulnerability stems from improper intent handler configuration in Google Messages when it serves as the default SMS/MMS/RCS application on Wear OS devices.
Attackers can exploit ACTION_SENDTO intents using vulnerable URI schemes, including sms:, smsto:, mms:, and mmsto: to trigger automatic message sending.
Unlike standard Android behavior, Google Messages on Wear OS fails to display a confirmation prompt before executing these sensitive operations, creating what security experts call a “confused-deputy” vulnerability.
Android and Wear OS rely on intents as their core communication mechanism, allowing applications to request actions from other components.
Intent handlers typically verify permission levels and require explicit user confirmation for sensitive operations such as sending messages.
However, Google Messages on Wear OS circumvents this security model entirely.
When receiving ACTION_SENDTO intents, the application processes the request immediately without prompting the user or verifying the caller’s legitimacy.
The impact proves particularly severe because Google Messages is the default SMS/MMS/RCS application on many Wear OS devices, with limited alternatives available.
This default status ensures the vulnerability remains exploitable across the majority of Wear OS deployments.
Additionally, the attack requires no special permissions from the malicious application, making it virtually undetectable to users reviewing app permissions.
The exploit operates through a straightforward mechanism. Any installed application can programmatically invoke an ACTION_SENDTO intent with target phone numbers and message content.
The vulnerable Google Messages application then sends these messages automatically on the user’s behalf.
Attackers could distribute seemingly legitimate applications that silently send SMS messages to arbitrary recipients, potentially enabling financial fraud, account takeovers through SMS-based authentication codes, or spreading malware through phishing links.
The stealthy nature of this vulnerability significantly increases its danger.
Users reviewing installed applications would see no obvious signs of malicious activity, as no special SMS permissions appear in the app’s manifest.
Messages are sent silently without user awareness until phone bill anomalies or account security alerts reveal the compromise.
Google addressed this vulnerability through security updates to Google Messages for Wear OS.
Users should immediately update their smartwatch applications through the Play Store and verify that their devices run the latest Wear OS builds.
Until patching, users concerned about exposure should review recently installed applications for suspicious behavior and consider temporarily disabling non-essential applications requiring internet connectivity.
This vulnerability underscores the importance of rigorous security reviews for messaging applications and demonstrates how platform-specific implementations can introduce critical gaps in Android’s established security model.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-12080 |
| Vulnerability Type | Intent Abuse / Confused Deputy |
| Affected Component | Google Messages for Wear OS |
| Affected Versions | Google Messages prior to version 2025_0225_RC03.wear_dynamic and earlier |
| Platforms | Wear OS (Android 15 and earlier) |
| CVSS Score | 8.1 (High) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| Exploitability | Requires installed application on device |
| User Interaction Required | No |
| Special Permissions Required | No (confused deputy pattern) |
| Discovered By | Gabriele Digregorio (Io_no) |
| Discovery Date | March 2025 |
| Public Disclosure | October 29, 2025 |
| Bounty Program | Google Mobile Vulnerability Reward Program |
| Tested Devices | Pixel Watch 3 (Wear OS, Android 15 BP1A.250305.019.w3) |
| Proof of Concept | Available on GitHub (io-no/CVE-2025-12080) |
| Remediation Status | Patched |
| Recommendation | Update Google Messages and Wear OS to latest versions immediately |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The post Google Wear OS Vulnerability Allows Apps to Send SMS Without User Consent appeared first on Cyber Security News.
Looking for a powerful ebike with the speed and range to meet your ambitious needs?…
Lenovo is offering a great deal on an ultra-portable productivity laptop that can also do…
For the first time in years, Apple has introduced a new MacBook in its laptop…
In lieu of a polished livestream of a heavily produced, pre-recorded announcement of new stuff,…
Lanterns is one of the big shows that will be part of the first phase…
Tszarian Wright pleaded guilty to weapon possession and selling drugs and was sentenced to 6…
This website uses cookies.