"The vulnerability operates silently - users receive no alerts when their SMS or MMS data is accessed or transmitted elsewhere. Exploitation requires zero user interaction. A successful exploit could let attackers bypass SMS-based MFA account protections or give surveillance-hungry governments easy access to messages. An attacker-controlled app needs no special permissions in order to read the data, instead it exploits a flaw in the internal content provider com.oneplus.provider.telephony."
"Tracked as CVE-2025-10184 with 8.2 severity rating, the researchers said: "The issue stems from the fact that sensitive internal content providers are accessible without permission, and are vulnerable to SQL injection." The vulnerability operates silently - users receive no alerts when their SMS or MMS data is accessed or transmitted elsewhere. Exploitation requires zero user interaction. Content providers, integral to the Android platform, manage data access through APIs and enforce permissions that prevent unauthorized external app access. This vulnerability circumvents those protections entirely."
Multiple OxygenOS builds contain a persistent vulnerability that allows any app to read SMS and MMS content without permission. Tests indicate OxygenOS 12 (released December 7, 2021) introduced the flaw while OxygenOS 11 remained unaffected. The flaw stems from accessible internal content providers vulnerable to SQL injection and is tracked as CVE-2025-10184 with an 8.2 severity rating. An attacker-controlled app can exploit com.oneplus.provider.telephony to access messages silently, requiring no user interaction or special permissions. Successful exploitation can bypass SMS-based multi-factor authentication and enable covert access to personal communications. Rapid7 published exploit details and code snippets.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]