Critical Vulnerability in Google Messages on Wear OS Allows Unauthorized SMS Sending
A significant security flaw has been identified in the Google Messages app on Wear OS devices, enabling any installed application to send SMS, MMS, or RCS messages without user consent. This vulnerability, designated as CVE-2025-12080, arises from improper handling of ACTION_SENDTO intents associated with URI schemes such as sms:, smsto:, mms:, and mmsto:. Consequently, malicious applications can exploit this weakness to dispatch messages to arbitrary recipients without triggering user confirmation or requiring explicit permissions.
Understanding the Vulnerability
The core of this issue lies within Android’s intent system, a fundamental mechanism facilitating inter-application communication. Intents allow components to request actions—like opening a dialer or sending a message—by specifying an action and a data URI. While explicit intents target specific app components, implicit intents enable the system to route requests to appropriate applications based on declared intent filters.
In standard Android environments, sensitive operations such as sending messages typically prompt user confirmation to ensure consent, thereby preventing unauthorized actions initiated by untrusted sources. However, on Wear OS, the Google Messages app’s intent filters for messaging schemes fail to enforce such verification. As a result, any application can invoke an ACTION_SENDTO intent without possessing the SEND_SMS permission, leading Google Messages to process and send the message automatically.
Potential Exploitation Scenarios
The implications of this vulnerability are severe, encompassing both privacy breaches and financial risks. An attacker could distribute a seemingly benign application—such as a fitness tracker or wallpaper app—through sideloading or third-party app stores. Once installed, this app could exploit the vulnerability to send messages to premium-rate numbers, leading to unauthorized charges, or impersonate the user to harass contacts. Notably, the exploitation process is stealthy: it does not trigger pop-ups, permission requests, or any visible indicators beyond the sent message log.
Discovery and Disclosure
The vulnerability was discovered by the security firm io-no, which reported the issue through Google’s Mobile Vulnerability Reward Program. Google acknowledged the report on March 13, 2025, commended the discovery, and deployed patches by May 2025. Users are strongly advised to update their devices promptly to mitigate potential risks.
Mitigation Measures
To protect against potential exploitation of this vulnerability, users should:
– Update Devices: Ensure that Wear OS devices are running the latest software versions, including the patched Google Messages app.
– Review App Permissions: Regularly audit installed applications and their permissions, removing any that are unnecessary or from untrusted sources.
– Exercise Caution with App Installations: Avoid sideloading applications or downloading from third-party app stores, as these may not have undergone rigorous security checks.
Conclusion
The discovery of CVE-2025-12080 underscores the importance of vigilant security practices within the wearable technology ecosystem. As wearable devices become increasingly integrated into daily life, ensuring their security is paramount to protecting user privacy and preventing unauthorized activities. Users are encouraged to stay informed about potential vulnerabilities and to apply security updates promptly to maintain the integrity of their devices.
