DEV Community

Cover image for OnePlus CVE-2025-10184: Ditch SMS 2FA Now
Pentest Testing Corp
Pentest Testing Corp

Posted on

OnePlus CVE-2025-10184: Ditch SMS 2FA Now

#android #cybersecurity #vulnerabilities #mobile

TL;DR — The OnePlus CVE-2025-10184 OxygenOS flaw lets any installed app read and even send SMS/MMS without user permission. That can expose one-time codes and break SMS-based MFA. Update as soon as patches land, switch to authenticator or security keys, and lock down BYOD with policy.

What happened (and why SMS MFA breaks)

Researchers found a permission bypass in OxygenOS that exposes Android’s Telephony provider to third-party apps. In practical terms: a malicious app can silently read inbound SMS (including OTPs) and, on affected builds, send SMS—no prompts, no granted permissions, no user action. That breaks the confidentiality and integrity assumptions of SMS-based MFA.

OnePlus CVE-2025-10184: Ditch SMS 2FA Now

Affected builds & devices (as tested so far)

  • OxygenOS 12 → 15 are impacted across multiple models; OxygenOS 11 appears unaffected in testing. Rapid7 validated on OnePlus 8T and OnePlus 10 Pro and noted it’s a platform change, not device-specific. OnePlus has acknowledged the bug and says a global fix begins rolling out mid-October 2025.

Guidance for individuals (do this now)

  1. Stop using SMS for 2FA
    Move to TOTP (e.g., an authenticator app) or security keys (FIDO2/WebAuthn) on your critical accounts. Treat SMS as “recover only,” not primary MFA. The whole point of CVE-2025-10184 is that OTPs in SMS are no longer private on vulnerable builds.

  2. Update aggressively

  • Check Settings → About device → OxygenOS → Software update and install as soon as the patch appears in your region. OnePlus stated a mid-Oct 2025 rollout.
  • Advanced: verify via ADB (see “Verify & detect” below).

  1. Clean up apps
    Uninstall shady/unused apps; they’re the easiest path to abuse here. Until you’re patched, assume any app could get SMS access.

  2. Prefer encrypted messengers for sensitive one-time links, and avoid sharing OTPs over SMS altogether.

Free Website Vulnerability Scanner — homepage screenshot showing the URL bar and “Scan”

Screenshot of the free tools webpage where you can access security assessment tools.Screenshot of the free tools webpage where you can access security assessment tools.

DEV/Power user: verify & detect

A. Quick ADB checks (no root)

List third-party packages that request SMS permissions (not sufficient to exploit this bug, but great hygiene):

# List packages that *declare* SMS-related dangerous permissions
adb shell 'for p in $(pm list packages -3 -f | cut -d= -f2); do
  req=$(dumpsys package "$p" | grep -E "android.permission.(READ_SMS|RECEIVE_SMS|SEND_SMS)" -q && echo "SMS_PERMS")
  [ -n "$req" ] && echo "$p"
done'
Enter fullscreen mode Exit fullscreen mode

Check your build identifiers (helpful when your OEM patch notes are vague):

# Security patch date (Android level)
adb shell getprop ro.build.version.security_patch

# OnePlus / OxygenOS identifiers commonly used by update tools
adb shell getprop ro.rom.version
adb shell getprop ro.build.display.id
Enter fullscreen mode Exit fullscreen mode

Many OxygenOS tools derive versioning from ro.rom.version (or fall back to ro.build.display.id on ColorOS-based builds). Useful to confirm you’re on the post-fix build.

⚠️ Note: Because CVE-2025-10184 bypasses permission checks, the presence/absence of READ_SMS isn’t a guarantee of safety—patching is.

B. Kotlin snippet: flag apps with SMS capabilities 

// Run inside a small Android utility app on a work profile device
val pm = applicationContext.packageManager
val flagged = pm.getInstalledPackages(PackageManager.GET_PERMISSIONS).mapNotNull { pkg ->
    val perms = pkg.requestedPermissions?.toList() ?: emptyList()
    val smsPerms = perms.filter { it.contains("READ_SMS") || it.contains("RECEIVE_SMS") || it.contains("SEND_SMS") }
    if (smsPerms.isNotEmpty()) "${pkg.packageName} -> $smsPerms" else null
}
flagged.forEach { android.util.Log.i("SMS_PERMS", it) }
Enter fullscreen mode Exit fullscreen mode

C. (Mitigation, not a fix) Revoke SMS from specific apps 

# Replace com.bad.actor with the package you want to restrict
adb shell pm revoke com.bad.actor android.permission.READ_SMS
adb shell pm revoke com.bad.actor android.permission.SEND_SMS
Enter fullscreen mode Exit fullscreen mode

This reduces normal SMS abuse but does not fix CVE-2025-10184 if your build is vulnerable.

BYOD / MDM playbook (Android Enterprise)

Until every device is patched, treat cve-2025-10184 as a mobile-fleet incident.

1) Detect risky devices

  • Inventory OxygenOS versions; flag 12–15 as At-Risk until patched build numbers are known. (Maintain allowlist once vendor publishes exact patched identifiers.)

Android Management API policy snippet (detect + tag noncompliant):

{
  "complianceRules": [{
    "nonComplianceDetailCondition": { "property": "osVersion", "operator": "REGEX_DOES_MATCH", "value": "OxygenOS (12|13|14|15).*" },
    "packageNamesToDisable": [],
    "requireUserApproval": true
  }],
  "statusReportingSettings": { "applicationReportsEnabled": true }
}
Enter fullscreen mode Exit fullscreen mode

2) Enforce non-SMS MFA (IdP-side)

Azure AD (Microsoft Entra) – example PowerShell via Graph SDK (conceptual):

Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"
# Disable SMS as a usable auth method, keep Authenticator app + FIDO2
$pol = Get-MgPolicyAuthenticationMethodPolicy
# Pseudocode: update SMS config to Disabled; ensure FIDO2/TOTP enabled
# Update-MgPolicyAuthenticationMethodPolicy -AuthenticationMethods $methods
Enter fullscreen mode Exit fullscreen mode

(Implement with your IdP of choice—Okta, Entra, etc.—the objective is: no SMS for sign-in or step-up.)

3) Tighten app install surface

Android Enterprise (managed devices/work profile) — disallow sideloading and deny SMS to non-default SMS apps:

{
  "installUnknownSourcesAllowed": false,
  "defaultPermissionPolicy": "DENY",
  "permissionGrants": [
    { "permission": "android.permission.SEND_SMS", "policy": "DENY" },
    { "permission": "android.permission.READ_SMS", "policy": "DENY" }
  ],
  "playStoreMode": "WHITELIST"
}
Enter fullscreen mode Exit fullscreen mode

4) Communicate simply

  • “If you use a OnePlus, update first, then move accounts to authenticator/security keys. If something still uses SMS, treat it as temporary and raise a ticket.”

Signals to watch

  • OnePlus patch ETA & build IDs (target: mid-Oct 2025 global rollout).
  • NVD updates (severity, CWE, vendor advisories) for CVE-2025-10184.
  • Research notes (e.g., affected provider components and tested devices) for deeper validation.

How to verify your device is fixed (post-patch)

  1. Settings → About device → Software update shows you’re on the latest OxygenOS for your model (after the vendor’s patch announcement window).
  2. ADB identifiers (ro.rom.version / ro.build.display.id) match your IT allowlist for patched builds.

Where we can help

  • Risk assessment & prioritization for fast decisions across your app, IdP, and device stack — Risk Assessment Services.
  • Hands-on remediation (IdP/MFA hardening, MDM policy rollout, evidence) — Remediation Services.
  • Quick perimeter sanity-check while you work: run our Free Website Security Scanner (great for external hygiene alongside mobile hardening): https://free.pentesttesting.com/

DEV corner: extra scripts & snippets

Python (local workstation): sanity-check connected device & flag at-risk OxygenOS)

import subprocess, re
def sh(cmd): return subprocess.check_output(cmd, shell=True, text=True).strip()
props = sh("adb shell getprop")
oos = re.search(r"\[ro\.rom\.version\]: \[(.+?)\]", props) or re.search(r"\[ro\.build\.display\.id\]: \[(.+?)\]", props)
sec = re.search(r"\[ro\.build\.version\.security_patch\]: \[(.+?)\]", props)
print("OxygenOS:", oos.group(1) if oos else "unknown")
print("Android patch:", sec.group(1) if sec else "unknown")
if oos and re.search(r"OxygenOS\s(12|13|14|15)", oos.group(1)):
    print("STATUS: At-Risk until patched.")
Enter fullscreen mode Exit fullscreen mode

Bash (fleet triage via adb over USB hub):

for s in $(adb devices | awk 'NR>1 && $2=="device"{print $1}'); do
  ver=$(adb -s "$s" shell getprop ro.rom.version 2>/dev/null || true)
  [ -z "$ver" ] && ver=$(adb -s "$s" shell getprop ro.build.display.id)
  echo "$s => $ver"
done
Enter fullscreen mode Exit fullscreen mode

Okta — block SMS for authentication (policy sketch):

{
  "type": "authentication_method",
  "name": "SMS",
  "settings": { "allowedFor": "none" }
}
Enter fullscreen mode Exit fullscreen mode

Android Enterprise — Work profile required for corporate apps:

{
  "advancedSecurityOverrides": { "requireVerifyApps": true },
  "passwordRequirements": { "passwordQuality": "ALPHANUMERIC", "minimumLength": 8 },
  "applications": [
    { "packageName": "com.azure.authenticator", "installType": "FORCE_INSTALLED" }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Sample Report — screenshot of a generated scan report to check Website Vulnerability.

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Further reading from our blog

Explore more on our main site and blog:
https://www.pentesttesting.com/ | https://www.pentesttesting.com/blog/

Need help locking this down fast?

We can assess, harden, and prove fixes—end-to-end.
👉 Risk Assessment Services | Remediation Services | Free perimeter check.

Questions? Ping query@pentesttesting.com — we’ll jump on a call with your security/IT leads today.

Top comments (0)