OnePlus users warned of flaw that lets phones send rogue text messages

OnePlus flaw raises alarms

Security firm Rapid7 disclosed a serious vulnerability (CVE-2025-10184) in multiple OnePlus phones running OxygenOS 12, 14 and 15 that can allow installed apps to read and send SMS/MMS without user consent.

Rapid7 says it initially reported the issue privately earlier in 2025 and published its findings in September 2025 after limited response. OnePlus has acknowledged the bug and announced a global patch rollout beginning in mid-October 2025.

How the flaw works?

Rapid7 says the root cause is in OnePlus’s modifications to Android’s telephony content provider: custom providers added to OxygenOS (for example, PushMessageProvider/PushShopProvider/ServiceNumberProvider) were exposed without proper permission checks, allowing apps to query and in some cases write telephony data and trigger SMS sends.

Victims may not notice immediately, since the messages appear as if they were sent normally. This type of attack not only increases costs for users but also risks spreading malware through links embedded in the rogue texts.

Financial risks for users

Rogue outgoing SMS can cause unexpected premium or international charges; security outlets recommend monitoring billing statements closely and contacting carriers if you see unexplained outgoing SMS volumes while a device is vulnerable.

For OnePlus users, this could mean sudden spikes in monthly bills without any clue that their phones were sending messages in the background. Monitoring statements can help catch unusual activity early.

A path for larger scams

Beyond unwanted charges, rogue SMS features can be used in phishing campaigns. Attackers may send links to fake websites, tricking recipients into entering personal information.

Because the messages originate from a user’s phone, they look more legitimate and can carry phishing links; the flaw also risks interception of SMS-based two-factor authentication codes, increasing account takeover danger.

This increases the chance of success for scams targeting banks, social media accounts, or email logins. The flaw therefore creates both financial and security risks for OnePlus owners and their contacts.

Why OnePlus is in the spotlight?

OnePlus has built a reputation for high-quality Android phones at competitive prices. This has earned it a loyal user base in markets like India, Europe, and North America.

However, the brand has faced past criticism for data handling and security lapses. News of another flaw reinforces concerns about whether the company is keeping pace with growing cybersecurity threats. How quickly OnePlus responds will influence user trust going forward.

The role of carriers

Mobile carriers also play a part in limiting the damage from rogue texts. Some have systems that block unusual SMS patterns, especially when many messages are sent in a short time.

However, attackers can sometimes bypass these defenses by spreading activity across multiple victims. Carriers may need to strengthen monitoring tools and work with device makers like OnePlus to flag suspicious traffic before it drains user accounts.

Lessons from Android’s openness

Unlike Apple’s iOS, Android’s open ecosystem allows greater customization but also introduces more security risks. OnePlus builds its OxygenOS software on top of Android, which means vulnerabilities can arise both in Google’s base system and OnePlus’s modifications.

The rogue SMS flaw shows how even well-regarded Android manufacturers remain exposed to bugs. For users, it underscores the need for regular updates and cautious app downloads on any Android device.

How updates fix the gap?

The main defense against this flaw is timely software patches. Once a vulnerability is reported, phone makers analyze the code, create fixes, and release updates. Users who install patches quickly are far less likely to be affected.

Unfortunately, many delay updates, leaving devices exposed for weeks or months. OnePlus has urged customers to enable automatic updates so security fixes can be applied as soon as they become available.

Spotting suspicious activity

OnePlus owners can take steps to detect signs of compromise. Unexpected charges, messages in the outbox that weren’t sent by the user, or contacts reporting strange texts are all red flags.

Security experts recommend checking billing records and SMS logs regularly. Installing trusted mobile security apps can also help catch malicious behavior early. While no defense is perfect, awareness can limit the damage before attackers exploit the flaw more broadly.

A reminder for all phone makers

The OnePlus issue is part of a larger pattern affecting the smartphone industry. Both Android and iOS devices have suffered from text messaging flaws in the past, showing how attackers constantly probe communication apps for weaknesses.

Each incident reminds phone makers that secure messaging is a moving target requiring continuous attention. Companies that fail to act swiftly risk harming not only their users but also their brand reputation.

The global reach of the flaw

Because OnePlus phones are sold worldwide, the rogue SMS issue has international implications. Attackers can target users in different regions depending on where fraudulent numbers or scams pay off best.

A bug affecting millions of devices across multiple countries creates a wide attack surface. Security researchers note that flaws with global scope are often exploited faster because they offer larger returns for cybercriminals.

The role of regulators

Incidents like this also draw attention from regulators. Agencies in the EU, U.S., and Asia are increasingly pressuring phone makers to prioritize security and protect consumers. If a flaw leads to widespread losses, regulators may investigate whether companies acted quickly enough.

In extreme cases, governments can issue fines or mandate stricter security rules. OnePlus’s response to the rogue SMS flaw may therefore be judged not only by users but also by authorities.

Protecting sensitive data

Rogue texts are not just about charges or scams, they can also expose sensitive data. Attackers may use SMS to bypass two-factor authentication codes or trick users into revealing passwords.

Because many banks and services still rely on text messages for login verification, flaws in messaging apps can undermine account security. For this reason, experts urge businesses and individuals to adopt stronger authentication methods that don’t rely solely on SMS.

OnePlus flaw shows rapid release risks

Phone makers constantly balance performance, features, and security. Pushing out new devices quickly can sometimes leave less time for rigorous testing. The OnePlus flaw shows the risks of this trade-off.

As competition intensifies, companies must ensure that rapid innovation does not come at the expense of user protection. Stronger partnerships with security researchers may help prevent similar vulnerabilities from slipping through in the future.

A wake-up call for users

The discovery of the rogue SMS flaw highlights why personal vigilance matters. Even with patches, no device is completely immune to attack. Users should avoid sideloading unverified apps, stay cautious about links in texts, and update devices promptly.

Cybercriminals count on people being careless, so simple precautions remain the best defense. The incident is another reminder that smartphones are powerful computers requiring the same level of security attention.

Treating smartphones like full computers means pairing vigilance with practical steps such as how to check if your phone was hacked.

What comes next?

For now, OnePlus users are advised to apply updates and stay alert for suspicious phone behavior. Security researchers will continue probing devices to ensure the flaw has been fully addressed.

Longer term, the incident may push smartphone makers across the industry to tighten their testing and patching cycles. The ultimate goal is safer devices for everyone.

As phone makers refine both security and usability, practical features like how to stop spam calls using iOS 26 call screening show how progress reaches daily life.

What do you think about this? Let us know in the comments, and don’t forget to leave a like.

Read More From This Brand:

• OpenAI Reveals ChatGPT’s Flaw
• Google plugs Gemini CLI flaw risking silent breach
• Chrome Security Flaw Let Hackers Track Your Browsing

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.