Full Report
A critical vulnerability discovered in Google Messages for Wear OS has exposed millions of smartwatch users to a significant security risk. Identified as CVE-2025-12080, the flaw allows any installed application to send text messages on behalf of the user without requiring permissions, confirmation, or user interaction. Security researcher Gabriele Digregorio discovered the vulnerability in March […] The post Google Wear OS Flaw Lets Any App Send Texts on Behalf of Users appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Vulnerability: Unauthorized SMS/MMS Sending in Google Messages for Wear OS
## CVE Details
- CVE ID: CVE-2025-12080
- CVSS Score: Information on the specific CVSS score is **not provided** in the text, but it is described as **Critical**.
- CWE: Confused Deputy (Implied by description of bypassing security measures)
## Affected Systems
- Products: Google Messages application running on Wear OS devices.
- Versions: Specific vulnerable versions are **not listed**, but confirmed on devices running Wear OS with Android 15 (e.g., Pixel Watch 3).
- Configurations: Requires Google Messages to be set as the **default SMS, MMS, or RCS application** on the Wear OS device.
## Vulnerability Description
The vulnerability is an improper intent handling flaw within Google Messages on Wear OS. When the application handles messaging intents (specifically those using `ACTION_SENDTO` targeting `sms:`, `smsto:`, `mms:`, and `mmsto:` URI schemes), it fails to prompt the user for confirmation or verification. This allows any installed application on the Wear OS device to silently send text messages (SMS/MMS) on behalf of the legitimate user to arbitrary phone numbers without requiring the `SEND_SMS` permission or any explicit user interaction. This is categorized as a "confused-deputy" vulnerability.
## Exploitation
- Status: **PoC available**. (Demonstrated by researcher Gabriele Digregorio).
- Complexity: **Low**. Exploitation requires only standard Android programming practices to craft intents within a distributed application.
- Attack Vector: **Local** (Compromised application must be installed on the target device).
## Impact
- Confidentiality: **High**. Messages sent could lead to impersonation or leakage of user activity.
- Integrity: **High**. Messages sent on behalf of the user can be malicious (spam, phishing, contacting premium numbers).
- Availability: **Low** (Direct impact to service availability is unlikely, but resource usage/cost due to sent messages is possible).
## Remediation
### Patches
- **Patch Availability:** Google has been notified and patches are expected/should be sought. Users are advised to **update Google Messages to the latest available version** when patches are released.
### Workarounds
- Exercise **extreme caution when installing applications** on Wear OS devices.
- (Implied) If supported by the OS version, prevent Google Messages from being the default SMS/MMS/RCS handler, although the article notes this is difficult due to limited alternatives.
## Detection
- **Indicators of Compromise:** Unexplained outgoing SMS/MMS messages originating from the user's account, especially to unknown or premium-rate numbers.
- **Detection Methods and Tools:** Detection is stated to be **extraordinarily difficult** as the attack is stealthy and produces no immediate user notifications. Monitoring and auditing of sent messages may be necessary post-exploitation.
## References
- Vendor Advisories: **Not explicitly linked** in the summary text, but disclosure was made to Google via responsible channels.
- Relevant links - defanged:
- gbhackers.com/google-wear-os-flaw-lets-any-app-send-texts-on-behalf-of-users/
- towerofhanoi.it/writeups/cve-2025-12080/ (Link to PoC demonstration)