The Google Messages app on Wear OS devices has a vulnerability that permits any installed application to send SMS, MMS, or RCS messages without user consent, identified as CVE-2025-12080. This issue originates from the improper handling of ACTION_SENDTO intents, bypassing essential security checks and revealing significant risks associated with wearables. As Google Messages is the default messaging application on most Wear OS smartwatches, this vulnerability could impact a large number of users, leaving them vulnerable to exploitation by malicious apps.
The flaw allows attackers to dispatch messages stealthily using legitimate-looking applications. This raises severe implications for both user privacy and potential financial consequences, as attackers can impersonate victims via unwanted messages or extract information through premium-rate SMS. Despite the lack of malicious code requirement, the vulnerability’s attack vector is particularly concerning due to its unobtrusive nature; users would receive no pop-ups or permission requests when such actions occur. Google has acknowledged and fixed this issue, urging users to keep their devices updated and cautious about new app installations.
👉 Pročitaj original: Cyber Security News
