Posted in

Critical Wear OS Vulnerability lets Apps to Send Messages Without Permission

by Rakesh0

A newly discovered vulnerability in Google Messages on Wear OS devices allows any installed app to silently send SMS, MMS, or RCS messages without user consent. Tracked as CVE-2025-12080, this flaw affects most Wear OS smartwatches, posing serious privacy and security risks.

How the Vulnerability Works

At the core is Android’s intent system, which lets apps request actions from other apps:

  • Explicit intents: Target a specific app component.
  • Implicit intents: Let the system route requests to matching apps.

Normally, sending a message triggers a user confirmation to prevent abuse. On Wear OS, however, Google Messages’ intent filters for URI schemes like sms:, smsto:, mms:, and mmsto: fail to enforce verification.

This allows any app, even without SEND_SMS permissions, to send messages automatically by firing an ACTION_SENDTO intent.

Why Wear OS Makes This Vulnerability Worse

Wear OS devices amplify risk due to:

  • Default reliance on Google Messages, with few alternatives.
  • Small interfaces and implicit trust, making stealth attacks easier.
  • Potential attack vectors like Tiles or complications, which can launch intents.

Even a seemingly harmless app — such as a fitness tracker or wallpaper app — could silently exploit this flaw.

Potential Risks

The implications are serious:

  • Privacy violations: Apps can message contacts without your knowledge.
  • Financial threats: Messages could be sent to premium-rate numbers.
  • Reputation damage: Malicious actors could impersonate users.

The attack leaves no visible prompts, with only sent messages appearing in the log.

Discovery and Patch

  • Security firm io-no reported the issue via Google’s Mobile Vulnerability Reward Program.
  • The vulnerability was tested on a Pixel Watch 3 with Wear OS (Android 15) and Google Messages 2025_0225_RC03.
  • A $2,250 bounty was awarded, and Google rolled out a patch in May 2025.
  • A safe proof-of-concept is available on GitHub: io-no/CVE-ReportsAttachment.png.

How Users Can Protect Themselves

  • Update devices and apps: Always run the latest Wear OS and Google Messages versions.
  • Scrutinize installed apps: Avoid sideloaded or third-party apps that can launch messaging features.
  • Limit app permissions: Be careful with apps requesting messaging access.

Key Takeaways

  • CVE-2025-12080 highlights ongoing security challenges in wearables.
  • Compact interfaces, default app reliance, and implicit trust can amplify risks.
  • Vigilance, timely updates, and careful app selection are essential for safety.

✅ Recommended Actions

  1. Update Wear OS system and Google Messages immediately.
  2. Check app permissions for messaging-related actions.
  3. Avoid installing apps from untrusted sources.
  4. Monitor your message logs for unusual activity.
Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *