Wear OS Messages Flaw (CVE-2025-12080) Allows Unprivileged Apps to Send SMS/RCS Without Permission, PoC Available
Ddos 
Security researcher Gabriele Digregorio has disclosed a newly identified vulnerability in Google Messages for Wear OS, designated CVE-2025-12080 (CVSS v4 6.9), that allows any installed app to send SMS, MMS, or RCS messages on a user’s behalf — without any permissions or interaction required.
According to Digregorio’s report, “On Wear OS, when Google Messages is the default SMS/MMS/RCS app, ACTION_SENDTO intents using the sms:, smsto:, mms:, and mmsto: URI schemes are handled incorrectly.” As a result, “an attacker capable of invoking an Android intent can exploit this vulnerability to send messages on the user’s behalf to arbitrary receivers without requiring any further user interaction or specific permissions.”
The flaw stems from how Google Messages handles intent requests — the Android mechanism that lets apps communicate and perform system-level actions such as dialing a phone number or composing a message.
Normally, messaging apps are expected to display a confirmation interface before sending a message to ensure user consent. However, on Wear OS, “Google Messages does not enforce this expectation. Due to a misconfiguration in the way Google Messages handles these URI schemes, the app sends the message automatically without displaying a confirmation prompt or requiring user interaction.”
This behavior effectively turns Google Messages into what Digregorio describes as a “confused deputy” — a privileged system component performing sensitive actions on behalf of an unprivileged caller.
The attack model assumes that a benign-looking app is installed on the target smartwatch. That app can issue a simple ACTION_SENDTO intent containing an SMS or MMS URI and message body, which Google Messages then sends immediately.
The report stresses that “the application does not need to contain malicious code,” and that “no special permissions (such as SEND_SMS) are required.” Any app installed on the device could therefore exploit the flaw.
A proof of concept (available on GitHub) demonstrates this behavior on a Pixel Watch 3 running Wear OS (Android 15 BP1A.250305.019.w3) with Google Messages version 2025_0225_RC03.wear_dynamic. Once installed, the PoC app automatically fires the intent upon launch and sends a text message without any confirmation screen.
“Because exploitation does not require permissions, the vulnerability is highly stealthy and difficult for a user to detect,” Digregorio warns.
Because Google Messages is the default messaging app on most Wear OS devices, and alternatives are limited, the vulnerability is widely exploitable. Malicious actors could craft apps that appear harmless — such as fitness trackers or weather widgets — while silently sending SMS messages to premium numbers, phishing recipients, or C2 servers.
The report cautions that while the tested attack requires an installed app, “other mechanisms that trigger intents may also be exploitable,” including Wear OS Tiles and Complications.
Donate