News and Analysis

A vulnerability in Google Messages on Wear OS devices allows any installed app to silently send SMS, MMS, or RCS messages on behalf of the user.

Dubbed CVE-2025-12080, the issue stems from improper handling of ACTION_SENDTO intents using URI schemes like sms:, smsto:, mms:, and mmsto:.

This misconfiguration bypasses user confirmation and permission checks, enabling attackers to dispatch messages to arbitrary recipients without detection.

Google Messages, the default messaging app on most Wear OS smartwatches, exacerbates the risk. With limited alternatives available, the flaw likely affects the majority of devices running the platform.

Disclosed earlier this year, the vulnerability highlights ongoing challenges in securing wearable ecosystems, where compact interfaces and implicit trust in system apps can amplify threats.

Security firm io-no reported the issue through Google’s Mobile Vulnerability Reward Program, earning a $2,250 bounty before a fix rolled out in May 2025.

Wear OS Message App Vulnerability

At its core, the problem lies in Android’s intent system, a fundamental mechanism for app-to-app communication. Intents allow components to request actions, such as opening a dialer or sending a message, by specifying an action and a data URI.

Explicit intents target a specific app component, while implicit ones let the system route to matching intent filters declared by apps. In theory, sensitive operations like sending messages should trigger a confirmation prompt in the receiving app to ensure user consent.

This prevents the “confused deputy” pattern, where a privileged app unwittingly executes actions for an untrusted caller. On standard Android, Google Messages adheres to this by prompting before dispatch.

However, on Wear OS, the app’s intent filters for messaging schemes fail to enforce verification. As a result, any app can fire an ACTION_SENDTO intent without needing SEND_SMS permissions, and Google Messages will process it automatically.

The vulnerability doesn’t require malicious code in the exploiting app; a simple, legitimate-looking application suffices. For instance, a benign fitness tracker or wallpaper app could embed the intent trigger, activating on launch or button press.

Researchers note that Wear OS features like Tiles or complications, which also launch intents, could extend the attack surface, though these vectors remain unexplored.

The implications are severe for privacy and finances. An attacker could distribute a trojanized app via sideloading or third-party stores, then exfiltrate data through premium-rate SMS or harass contacts impersonating the victim.

Exploitation is stealthy: no pop-ups, no permission requests, and no visible traces beyond the sent message log.

A proof-of-concept, available on GitHub at io-no/CVE-Reports, demonstrates the flaw using Kotlin code to invoke the intent with a sample message body and recipient URI.

Tested on a Pixel Watch 3 with Wear OS (Android 15, build BP1A.250305.019.w3) and Google Messages version 2025_0225_RC03, the PoC sends messages without interaction, though it omits real numbers for ethical reasons.

Google acknowledged the report on March 13, 2025, praised the discovery, and deployed patches by May. Users should update their devices promptly and scrutinize app installations.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Google Wear OS Message App Vulnerability Let Any Installed App To Send SMS Behalf Of User appeared first on Cyber Security News.