Enjoy our content? Make sure to set Android Central as a preferred source in Google Search, and find out why you should so that you can stay up-to-date on the latest news, reviews, features, and more.
If you have a OnePlus phone with OxygenOS 12 through OxygenOS 15, you should be aware of a serious security issue. Researchers at Rapid7 found a flaw, identified as CVE-2025-10184, that lets harmful apps read and send your text messages without your permission.
In practice, this means an attacker could intercept sensitive texts like two-factor authentication (2FA) codes or even send out messages on your behalf, opening the door to account takeovers and fraud.
Rapid7 explains that the issue started when OnePlus changed Android’s built-in telephony content provider (via BleepingComputer). The company added new components called PushMessageProvider, PushShopProvider, and ServiceNumberProvider, but did not set proper limits on write permissions. Because of this, harmful apps can take advantage of the system using SQL injections or similar tricks, getting around Android’s usual protections.
The vulnerability has been confirmed on devices such as the OnePlus 8T with OxygenOS 12 and the OnePlus 10 Pro running OxygenOS 14 and 15, though Rapid7 warns that other models are likely impacted too.
OxygenOS 11 does not seem to have this problem, which means the flaw likely appeared in later versions. Since the issue affects how SMS messages are handled, it puts most recent OnePlus phones at risk and is more serious than most bugs.
The situation became more concerning because OnePlus was slow to respond. Rapid7 reported the flaw in May 2025 and followed up several times, but the company did not reply for months. OnePlus only recognized the problem after Rapid7 made its findings public and shared a proof of concept.
The company has since confirmed that it has developed a fix and promised that a security patch will begin rolling out globally in mid-October, as per 9to5Google. According to OnePlus, the patch will address the permission bypass and close off the SMS loophole.
Until the update arrives, OnePlus users should be careful about which apps they install. Only download apps from trusted sources, since harmful apps are the main way this flaw can be used. It’s also a good idea to remove any apps you don’t use or that seem suspicious.
Experts also suggest using safer options for two-factor authentication, such as authenticator apps or hardware security keys, instead of relying on SMS codes.

source