A OnePlus spokesperson gave 9to5Google the following statement:

We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvements.

As for how this happened, essentially, OnePlus seemingly modified the stock Telephony app back in the Android 12 days — this bug doesn’t exist in OxygenOS 11 — to add additional content providers into the service, including the following three listings:

  • com.android.providers.telephony.PushMessageProvider

  • com.android.providers.telephony.PushShopProvider

  • com.android.providers.telephony.ServiceNumberProvider

Modifying this package isn’t inherently bad, obviously, but when you’re dealing with something that can provide read and write access to messages stored on device, you need to take additional steps to ensure you aren’t leaving vulnerabilities — and that’s exactly what happened here. While OnePlus assigned read permissions for SMS messages to these providers, it failed to add write permissions, which, as Rapid7‘s blog post states, “may allow client apps to perform writer operations, if the relevant write […] operation is implemented within the provider.”

For now, OnePlus users should tread cautiously until that patch rolls out in mid-October. Rapid7 suggests only installing apps from known sources and removing all non-essential apps. If you receive OTP texts for 2FA logins, you’ll also want to switch to an authenticator app as soon as possible to prevent your code from being sent over SMS. Switching to a third-party chat application can also help in this regard.

  • FutileRecipe@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    25 days ago

    I’m not downplaying it or saying it shouldn’t be fixed, but…

    Effectively, due to modifications made to the standard Telephony package left the app open to abuse, allowing any installed application on an affected OnePlus device to access SMS and MMS data, along with metadata, “without permission, user interaction, or consent.”

    Just another vector. SMS is already plaintext/unencrypted, so shouldn’t be used unless you’re saying something you’re comfortable with the world knowing. Switch to E2EE apps

    • limerod@reddthat.comOPM
      link
      fedilink
      English
      arrow-up
      1
      ·
      24 days ago

      SMS is mostly used for 2-factor authentication, transaction status. Most people use Whatsapp, telegram or whatever messaging app is popular.

      What E2EE app do you use?

      • FutileRecipe@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        24 days ago

        SMS is mostly used for 2-factor authentication, transaction status.

        Which they really shouldn’t as it’s still in the clear. But banks are slow to change, especially if it costs them money. As for mostly, I think it depends on the region. I think I’ve read that the US, Canada, and a few (not all) European countries still use SMS.

        I use Signal, which is widely considered the gold standard for E2EE apps, with the client app of Molly specifically (a hardened version of Signal).