Google Wear OS Vulnerability Allows Apps to Send SMS Without User Consent

A critical vulnerability in Google Messages for Wear OS has exposed millions of smartwatch users to a silent SMS hijacking attack.

CVE-2025-12080, discovered by security researcher Gabriele Digregorio in March 2025 and awarded a bounty by Google’s Mobile Vulnerability Reward Program, allows any installed application to send text messages on behalf of the user without requiring permissions or user confirmation.

The vulnerability stems from improper intent handler configuration in Google Messages when it serves as the default SMS/MMS/RCS application on Wear OS devices.

Attackers can exploit ACTION_SENDTO intents using vulnerable URI schemes, including sms:, smsto:, mms:, and mmsto: to trigger automatic message sending.

Unlike standard Android behavior, Google Messages on Wear OS fails to display a confirmation prompt before executing these sensitive operations, creating what security experts call a “confused-deputy” vulnerability.

The Technical Breakdown

Android and Wear OS rely on intents as their core communication mechanism, allowing applications to request actions from other components.

Intent handlers typically verify permission levels and require explicit user confirmation for sensitive operations such as sending messages.

However, Google Messages on Wear OS circumvents this security model entirely.

When receiving ACTION_SENDTO intents, the application processes the request immediately without prompting the user or verifying the caller’s legitimacy.

The impact proves particularly severe because Google Messages is the default SMS/MMS/RCS application on many Wear OS devices, with limited alternatives available.

This default status ensures the vulnerability remains exploitable across the majority of Wear OS deployments.

Additionally, the attack requires no special permissions from the malicious application, making it virtually undetectable to users reviewing app permissions.

Attack Methodology and Real-World Implications

The exploit operates through a straightforward mechanism. Any installed application can programmatically invoke an ACTION_SENDTO intent with target phone numbers and message content.

The vulnerable Google Messages application then sends these messages automatically on the user’s behalf.

Attackers could distribute seemingly legitimate applications that silently send SMS messages to arbitrary recipients, potentially enabling financial fraud, account takeovers through SMS-based authentication codes, or spreading malware through phishing links.

The stealthy nature of this vulnerability significantly increases its danger.

Users reviewing installed applications would see no obvious signs of malicious activity, as no special SMS permissions appear in the app’s manifest.

Messages are sent silently without user awareness until phone bill anomalies or account security alerts reveal the compromise.

Google addressed this vulnerability through security updates to Google Messages for Wear OS.

Users should immediately update their smartwatch applications through the Play Store and verify that their devices run the latest Wear OS builds.

Until patching, users concerned about exposure should review recently installed applications for suspicious behavior and consider temporarily disabling non-essential applications requiring internet connectivity.

This vulnerability underscores the importance of rigorous security reviews for messaging applications and demonstrates how platform-specific implementations can introduce critical gaps in Android’s established security model.

CVE Details

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today