A vulnerability in Google Messages on Put on OS units permits any put in app to silently ship SMS, MMS, or RCS messages on behalf of the consumer.
Dubbed CVE-2025-12080, the problem stems from improper dealing with of ACTION_SENDTO intents utilizing URI schemes like sms:, smsto:, mms:, and mmsto:.
This misconfiguration bypasses consumer affirmation and permission checks, enabling attackers to dispatch messages to arbitrary recipients with out detection.
Google Messages, the default messaging app on most Put on OS smartwatches, exacerbates the danger. With restricted options obtainable, the flaw possible impacts the vast majority of units working the platform.
Disclosed earlier this yr, the vulnerability highlights ongoing challenges in securing wearable ecosystems, the place compact interfaces and implicit belief in system apps can amplify threats.
Safety agency io-no reported the problem by way of Google’s Cell Vulnerability Reward Program, incomes a $2,250 bounty earlier than a repair rolled out in Could 2025.
Put on OS Message App Vulnerability
At its core, the issue lies in Android’s intent system, a elementary mechanism for app-to-app communication. Intents enable parts to request actions, corresponding to opening a dialer or sending a message, by specifying an motion and an information URI.
Express intents goal a selected app part, whereas implicit ones let the system path to matching intent filters declared by apps. In concept, delicate operations like sending messages ought to set off a affirmation immediate within the receiving app to make sure consumer consent.
This prevents the “confused deputy” sample, the place a privileged app unwittingly executes actions for an untrusted caller. On commonplace Android, Google Messages adheres to this by prompting earlier than dispatch.
Nevertheless, on Put on OS, the app’s intent filters for messaging schemes fail to implement verification. Because of this, any app can fireplace an ACTION_SENDTO intent without having SEND_SMS permissions, and Google Messages will course of it robotically.
The vulnerability doesn’t require malicious code within the exploiting app; a easy, legitimate-looking software suffices. As an example, a benign health tracker or wallpaper app may embed the intent set off, activating on launch or button press.
Researchers notice that Put on OS options like Tiles or problems, which additionally launch intents, may prolong the assault floor, although these vectors stay unexplored.
The implications are extreme for privateness and funds. An attacker may distribute a trojanized app by way of sideloading or third-party shops, then exfiltrate knowledge by way of premium-rate SMS or harass contacts impersonating the sufferer.
Exploitation is stealthy: no pop-ups, no permission requests, and no seen traces past the despatched message log.
A proof-of-concept, obtainable on GitHub at io-no/CVE-Experiences, demonstrates the flaw utilizing Kotlin code to invoke the intent with a pattern message physique and recipient URI.
Examined on a Pixel Watch 3 with Put on OS (Android 15, construct BP1A.250305.019.w3) and Google Messages model 2025_0225_RC03, the PoC sends messages with out interplay, although it omits actual numbers for moral causes.
Google acknowledged the report on March 13, 2025, praised the invention, and deployed patches by Could. Customers ought to replace their units promptly and scrutinize app installations.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
