Enjoy our content? Make sure to set Android Central as a preferred source in Google Search, and find out why you should so that you can stay up-to-date on the latest news, reviews, features, and more.
What you need to know
- Devices running OxygenOS 12 through 15 have a serious bug (CVE-2025-10184) that lets shady apps read and send your texts without permission.
- Attackers could grab your 2FA codes or send messages as you, making account takeovers way easier.
- OnePlus says a patch will roll out globally in mid-October to shut down the SMS loophole.
If you have a OnePlus phone with OxygenOS 12 through OxygenOS 15, you should be aware of a serious security issue. Researchers at Rapid7 found a flaw, identified as CVE-2025-10184, that lets harmful apps read and send your text messages without your permission.
In practice, this means an attacker could intercept sensitive texts like two-factor authentication (2FA) codes or even send out messages on your behalf, opening the door to account takeovers and fraud.
Rapid7 explains that the issue started when OnePlus changed Android’s built-in telephony content provider (via BleepingComputer). The company added new components called PushMessageProvider, PushShopProvider, and ServiceNumberProvider, but did not set proper limits on write permissions. Because of this, harmful apps can take advantage of the system using SQL injections or similar tricks, getting around Android’s usual protections.
Which phones are hit
The vulnerability has been confirmed on devices such as the OnePlus 8T with OxygenOS 12 and the OnePlus 10 Pro running OxygenOS 14 and 15, though Rapid7 warns that other models are likely impacted too.
OxygenOS 11 does not seem to have this problem, which means the flaw likely appeared in later versions. Since the issue affects how SMS messages are handled, it puts most recent OnePlus phones at risk and is more serious than most bugs.
The situation became more concerning because OnePlus was slow to respond. Rapid7 reported the flaw in May 2025 and followed up several times, but the company did not reply for months. OnePlus only recognized the problem after Rapid7 made its findings public and shared a proof of concept.
Fix incoming
The company has since confirmed that it has developed a fix and promised that a security patch will begin rolling out globally in mid-October, as per 9to5Google. According to OnePlus, the patch will address the permission bypass and close off the SMS loophole.
Until the update arrives, OnePlus users should be careful about which apps they install. Only download apps from trusted sources, since harmful apps are the main way this flaw can be used. It’s also a good idea to remove any apps you don’t use or that seem suspicious.
Experts also suggest using safer options for two-factor authentication, such as authenticator apps or hardware security keys, instead of relying on SMS codes.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
