OnePlus OxygenOS Vulnerability Exposes SMS Data to Malicious Apps

A recent discovery has sent ripples through the mobile security landscape, shining a light on a critical vulnerability within OnePlus’s OxygenOS. This flaw, which affects a wide range of OnePlus devices, permits any installed application to access and read SMS and MMS messages without requiring user permission or even providing a notification. For many, SMS remains a cornerstone of digital identity and security, particularly in multi-factor authentication (MFA) systems. The implications of this vulnerability are far-reaching and demand immediate attention from users and developers alike.

Understanding CVE-2025-10184: The Core of the Problem

The security vulnerability has been officially designated as CVE-2025-10184. This flaw specifically impacts multiple OnePlus devices running OxygenOS versions 12 through 15. At its heart, the vulnerability exploits a weakness in how OxygenOS handles application permissions, allowing an app to bypass standard Android security checks. Typically, accessing sensitive user data like SMS messages requires explicit user consent, but in this scenario, a malicious or even poorly coded application can circumvent these safeguards.

This oversight poses a significant risk. Consider the volume of sensitive information often contained within SMS messages: financial alerts, password reset links, verification codes, and personal conversations. An unauthorized application with access to this data could facilitate identity theft, financial fraud, and privacy breaches.

Impact on Multi-Factor Authentication (MFA)

One of the most concerning aspects of CVE-2025-10184 is its potential to compromise SMS-based multi-factor authentication (MFA). Many online services rely on SMS as a second factor for verifying user logins, sending one-time passcodes (OTPs) to registered phone numbers. If a malicious application can read these OTPs directly from the device’s SMS inbox, it effectively neutralizes the security benefits of SMS-based MFA, opening the door for unauthorized account access. This undermines a critical layer of defense that countless users rely on for securing their online accounts.

Affected Devices and OxygenOS Versions

According to the cybersecuritynews.com report, the vulnerability extends across a broad range of OnePlus devices utilizing specific OxygenOS versions:

• OnePlus devices running OxygenOS version 12
• OnePlus devices running OxygenOS version 13
• OnePlus devices running OxygenOS version 14
• OnePlus devices running OxygenOS version 15 (though the existence of version 15 beyond development stages suggests a forward-looking concern)

Users of these devices should be particularly vigilant and prioritize any available security updates from OnePlus.

Remediation Actions

Addressing CVE-2025-10184 requires prompt action from both OnePlus and its users. Here’s what individuals can do:

• Update OxygenOS Immediately: The most crucial step is to install any available software updates from OnePlus. Security patches are typically released to address such vulnerabilities. Users should regularly check their device’s “System Updates” section.
• Exercise Caution with App Installations: Only download applications from trusted sources, such as the Google Play Store. Be wary of third-party app stores or direct APK downloads, as these are often unregulated and may harbor malicious software.
• Review App Permissions: While this vulnerability bypasses standard SMS permissions, a general practice of reviewing and revoking unnecessary permissions for installed applications is always recommended. This can limit potential exposure in other areas.
• Consider Alternatives to SMS MFA: Where possible, transition away from SMS-based MFA to more secure methods like authenticator apps (e.g., Google Authenticator, Authy) or hardware security keys. These methods are generally more resistant to SMS interception attacks.
• Enable Google Play Protect: Ensure Google Play Protect is active on your device. It scans apps for malicious behavior and can offer an additional layer of defense.

Tools for Device Security and Monitoring

While specific tools for detecting this exact vulnerability at the user level might not be readily available, general mobile security practices are essential. Here are some tools that aid in overall device security and monitoring:

Tool Name	Purpose	Link
Google Play Protect	Scans apps for malware and unwanted software. Built into Android.	Google Play Store
Virustotal Mobile	Analyzes suspicious applications and files for malware.	Google Play Store
NetGuard	Firewall for Android that allows individual app access control to the internet.	Google Play Store
Malwarebytes Security	Comprehensive mobile security, including malware detection and privacy audit.	Google Play Store

Key Takeaways

The discovery of CVE-2025-10184 in OnePlus OxygenOS is a stark reminder of the persistent threats in the mobile ecosystem. An unauthorized application gaining access to SMS data without permission is a serious privacy and security breach, particularly for those relying on SMS for MFA. Users of affected OnePlus devices must prioritize software updates and adopt a proactive stance on mobile security, including scrutinizing app permissions and considering stronger authentication methods. Device manufacturers have a continuous responsibility to harden their operating systems against such sophisticated bypasses to safeguard user data.