If you own a OnePlus phone running OxygenOS 12 through OxygenOS 15, there’s something important you should know. Security researchers at Rapid7 recently discovered a bug, tracked as CVE-2025-10184, that could let bad apps read and send your text messages without you knowing.
That’s a big deal. In real life, it means hackers could grab sensitive texts like two-factor authentication (2FA) codes or even send out fake messages in your name. The end result could be stolen accounts, fraud, or worse.
How the Bug Happened
According to Rapid7, the issue started when OnePlus tweaked Android’s built-in telephony content provider. The company added some new components called PushMessageProvider, PushShopProvider, and ServiceNumberProvider, but didn’t set the right limits on write permissions.
Because of that slip-up, harmful apps can sneak in using SQL injections or other tricks, bypassing Android’s normal protections.
Which Phones Are Affected
So far, the problem has been confirmed on the OnePlus 8T running OxygenOS 12 and the OnePlus 10 Pro with OxygenOS 14 and 15. Rapid7 warns that other models are probably vulnerable too.
Interestingly, OxygenOS 11 doesn’t seem to have the issue, which suggests it popped up in later versions. Since the flaw messes with how SMS messages are handled, it means the most recent OnePlus devices could be at risk. And yes, this makes it more serious than your average software bug.
Slow Response from OnePlus
What made this situation worse is how long it took OnePlus to respond. Rapid7 says they reported the flaw back in May 2025 and followed up multiple times, but heard nothing for months. OnePlus only confirmed the issue after Rapid7 went public with their findings and even shared a proof of concept.
A Fix Is on the Way
The good news is that OnePlus has now acknowledged the problem. The company says it has already built a fix and that a security patch will begin rolling out globally in mid-October, according to 9to5Google. OnePlus promises the update will fix the permission bypass and shut down the SMS loophole.
What You Can Do Right Now
Until the patch lands on your phone, it’s smart to be extra careful about the apps you install. Stick to trusted sources like the Google Play Store, and consider deleting apps you don’t use or ones that look sketchy.
Experts also recommend avoiding SMS-based two-factor authentication for now. Safer alternatives include using authenticator apps or, even better, a hardware security key.
ALSO READ: Moonshot AI’s Kimi Assistant Launches Agent Mode for Websites and Slides
