Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10184

CVE-2025-10184: Android Telephony Information Disclosure

CVE-2025-10184 is an information disclosure flaw in Android Telephony providers that allows apps to read SMS/MMS data without permission, breaking SMS-based MFA security. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-10184 Overview

CVE-2025-10184 is a permission bypass vulnerability in the OnePlus OxygenOS Telephony provider. Any application installed on the device can read SMS and MMS data, including metadata, without holding the required permissions, prompting the user, or generating any notification. The flaw stems from missing write-permission checks in several content providers combined with a blind SQL injection in their update method. Successful exploitation discloses sensitive message content and can defeat SMS-based Multi-Factor Authentication (MFA) flows that depend on the confidentiality of one-time passcodes. The issue was documented publicly by Rapid7 and tracked under [CWE-89] (SQL Injection).

Critical Impact

A malicious app with no declared permissions can silently exfiltrate SMS/MMS content and break SMS-based MFA on affected OxygenOS devices.

Affected Products

  • OnePlus OxygenOS devices exposing com.android.providers.telephony.PushMessageProvider
  • OnePlus OxygenOS devices exposing com.android.providers.telephony.PushShopProvider
  • OnePlus OxygenOS devices exposing com.android.providers.telephony.ServiceNumberProvider

Discovery Timeline

  • 2025-09-23 - CVE-2025-10184 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-10184

Vulnerability Analysis

The vulnerability lives in OxygenOS-specific content providers that extend the standard Android Telephony provider. These providers expose update endpoints without enforcing the write permissions normally required to modify telephony data. An attacker-controlled application can therefore invoke update against the SMS tables. Because the update implementation concatenates attacker-supplied input into the underlying SQL statement, it is also vulnerable to blind SQL injection. By chaining boolean conditions in the WHERE clause, the attacker exfiltrates SMS body text and metadata one bit at a time through observable side effects of the update call.

Root Cause

Two defects combine to produce the bypass. First, the affected providers do not declare or enforce android:writePermission for the telephony URIs they expose, so any local app can reach the update code path. Second, the update method builds its SQL string by interpolating caller-controlled parameters rather than using parameterized queries, satisfying the conditions for [CWE-89] blind SQL injection. The original Android Open Source Project (AOSP) provider would have rejected the caller well before SQL execution; the OxygenOS modifications removed that gate.

Attack Vector

The attack is local: a malicious application installed on the device, requiring no permissions in its manifest, queries the vulnerable providers through standard ContentResolver APIs. The attacker issues crafted update calls whose selection argument carries an injected SQL predicate referencing the sms table. The boolean result is inferred from the row count returned by update, allowing byte-by-byte reconstruction of SMS contents. No user interaction or system prompt is involved, and the SMS subsystem produces no notification that data has been read. A proof-of-concept demonstrating the technique is published in the Rapid7 advisory and the accompanying CVE-2025-10184 PoC archive.

No verified exploit code is reproduced here. Refer to the linked references for full technical details.

Detection Methods for CVE-2025-10184

Indicators of Compromise

  • Installed applications that hold no SMS-related permissions yet repeatedly invoke ContentResolver.update against content://com.android.providers.telephony.PushMessageProvider, PushShopProvider, or ServiceNumberProvider.
  • Process activity showing rapid, iterative content-provider calls consistent with bit-by-bit blind SQL injection enumeration.
  • Outbound network traffic from low-privilege apps containing strings, hashes, or base64 blobs whose size correlates with the SMS inbox.

Detection Strategies

  • Inspect APKs at install time for code referencing the affected provider authorities, particularly when the manifest lacks READ_SMS or RECEIVE_SMS.
  • Hunt for unusual update operations against telephony URIs in mobile EDR or MDM telemetry, because legitimate apps almost never call update on these providers.
  • Correlate spikes in content-provider IPC from a single UID with subsequent network egress to non-corporate destinations.

Monitoring Recommendations

  • Enable verbose logging on enterprise-managed OxygenOS devices and forward telephony provider access events to a centralized SIEM for review.
  • Track SMS-based MFA failure patterns; attacker pre-reading of one-time codes can manifest as legitimate codes being consumed before the user submits them.
  • Maintain an inventory of OnePlus device models and OxygenOS build numbers so patched and unpatched fleets can be separated in monitoring queries.

How to Mitigate CVE-2025-10184

Immediate Actions Required

  • Restrict installation of non-vetted applications on affected OnePlus devices through enterprise mobility management policies.
  • Move high-value accounts off SMS-based MFA and onto authenticator apps, FIDO2 security keys, or push-based factors.
  • Audit installed applications on OnePlus handsets and remove any package without a clear business justification.

Patch Information

At the time of publication, the Rapid7 disclosure titled CVE-2025-10184 OnePlus OxygenOS Telephony Provider Permission Bypass reports that the vulnerability is not fixed. Organizations should monitor OnePlus security bulletins for an updated OxygenOS build that enforces write permissions and parameterizes the affected update queries, and deploy it through their managed device update channel as soon as it is available.

Workarounds

  • Apply a mobile threat defense policy that blocks or quarantines apps issuing ContentResolver calls to the affected telephony provider authorities.
  • Disable sideloading and restrict installations to a curated enterprise app catalog on managed devices.
  • Where feasible, replace affected OnePlus devices in high-risk roles with handsets running a stock Android Telephony provider until a vendor fix ships.
bash
# Example: enumerate installed packages that reference the vulnerable providers
adb shell pm list packages -f | while read pkg; do
  path=$(echo "$pkg" | sed 's/package://;s/=.*//')
  if adb shell dumpsys package "$path" | grep -q "com.android.providers.telephony.PushMessageProvider\|PushShopProvider\|ServiceNumberProvider"; then
    echo "Review package: $path"
  fi
done

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne