Google Wear OS Message App Vulnerability Let Any Installed App To Send SMS Behalf Of User
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A vulnerability in Google Messages on Wear OS devices allows any installed app to silently send SMS, MMS, or RCS messages on behalf of the user.<\/p>\n
Dubbed CVE-2025-12080, the issue stems from improper handling of ACTION_SENDTO intents using URI schemes like sms:, smsto:, mms:, and mmsto:.<\/p>\n
This misconfiguration bypasses user confirmation and permission checks, enabling attackers to dispatch messages to arbitrary recipients without detection.<\/p>\n
Google Messages, the default messaging app on most Wear OS smartwatches<\/a>, exacerbates the risk. With limited alternatives available, the flaw likely affects the majority of devices running the platform.<\/p>\n Disclosed earlier this year, the vulnerability highlights ongoing challenges in securing wearable ecosystems, where compact interfaces and implicit trust in system apps can amplify threats. <\/p>\n Security firm io-no reported the issue<\/a> through Google\u2019s Mobile Vulnerability Reward Program, earning a $2,250 bounty before a fix rolled out in May 2025.<\/p>\n At its core, the problem lies in Android\u2019s intent system, a fundamental mechanism for app-to-app communication. Intents allow components to request actions, such as opening a dialer or sending a message, by specifying an action and a data URI.<\/p>\n Explicit intents target a specific app component, while implicit ones let the system route to matching intent filters declared by apps. In theory, sensitive operations like sending messages should trigger a confirmation prompt in the receiving app to ensure user consent.<\/p>\n This prevents the \u201cconfused deputy\u201d pattern, where a privileged app unwittingly executes actions for an untrusted caller. On standard Android, Google Messages adheres to this by prompting before dispatch. <\/p>\n However, on Wear OS, the app\u2019s intent filters for messaging schemes fail to enforce verification. As a result, any app can fire an ACTION_SENDTO intent without needing SEND_SMS permissions, and Google Messages will process it automatically.<\/p>\n The vulnerability doesn\u2019t require malicious code in the exploiting app; a simple, legitimate-looking application suffices. For instance, a benign fitness tracker or wallpaper app could embed the intent trigger, activating on launch or button press.<\/p>\n Researchers note that Wear OS features like Tiles or complications, which also launch intents, could extend the attack surface, though these vectors remain unexplored.<\/p>\n The implications are severe for privacy and finances. An attacker could distribute a trojanized app<\/a> via sideloading or third-party stores, then exfiltrate data through premium-rate SMS or harass contacts impersonating the victim.<\/p>\n Exploitation is stealthy: no pop-ups, no permission requests, and no visible traces beyond the sent message log.<\/p>\n A proof-of-concept, available on GitHub<\/a> at io-no\/CVE-Reports, demonstrates the flaw using Kotlin code to invoke the intent with a sample message body and recipient URI.<\/p>\n Tested on a Pixel Watch 3 with Wear OS (Android 15, build BP1A.250305.019.w3) and Google Messages version 2025_0225_RC03, the PoC sends messages without interaction, though it omits real numbers for ethical reasons.<\/p>\n Google acknowledged the report on March 13, 2025, praised the discovery, and deployed patches by May. Users should update their devices promptly and scrutinize app installations. <\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Google Wear OS Message App Vulnerability Let Any Installed App To Send SMS Behalf Of User<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nWear OS Message App Vulnerability<\/strong><\/h2>\n