A critical vulnerability discovered in Google Messages for Wear OS has exposed millions of smartwatch users to a significant security risk.
Identified as CVE-2025-12080, the flaw allows any installed application to send text messages on behalf of the user without requiring permissions, confirmation, or user interaction.
Security researcher Gabriele Digregorio discovered the vulnerability in March 2025 and was awarded a bounty through Google’s Mobile Vulnerability Reward Program for responsible disclosure.
How the Vulnerability Works
The vulnerability stems from improper intent handling in Google Messages when it operates as the default SMS, MMS, or RCS application on Wear OS devices.
Intent is an Android messaging mechanism that allows applications to request actions from other components. Normally, when an app sends a sensitive intent like ACTION_SENDTO for message delivery, the receiving application should display a confirmation prompt.
However, Google Messages on Wear OS bypasses this critical security measure, automatically processing message intents without user confirmation.
The flaw affects four URI schemes: sms:, smsto:, mms:, and mmsto:. An attacker can craft a seemingly innocent application that, when installed on a target device, automatically triggers message sending intents to arbitrary phone numbers without the user’s knowledge or explicit approval.
Google Messages simply executes these requests silently, violating Android’s permission model and creating what security researchers call a “confused-deputy” vulnerability.
Since Google Messages is the default messaging app on most Wear OS devices with limited third-party alternatives, the vulnerability affects a substantial portion of smartwatch users.
The exploitation requirement is minimal: an attacker merely needs to distribute an application that appears legitimate through app stores or other distribution channels.
The malicious app requires no special permissions like SEND_SMS and can activate upon launch or through user interaction with interface buttons.
An attacker could weaponize this flaw to send messages to premium-rate numbers, distribute spam or phishing content, impersonate the user for social engineering attacks, or facilitate financial fraud.
The attack remains stealthy because users typically receive no notifications and cannot easily detect unauthorized message sending, making detection extraordinarily difficult until significant damage occurs.
Digregorio’s proof-of-concept demonstrates the vulnerability using standard Android programming practices.
The exploit invokes ACTION_SENDTO intents specifying recipient phone numbers and message content through the vulnerable URI schemes.
The application can trigger these intents automatically when opened or when users interact with buttons, tiles, or complications on the Wear OS interface. Testing confirmed the vulnerability on Pixel Watch 3 devices running Wear OS with Android 15.
The concerning aspect is that exploitation requires no technical sophistication or advanced hacking techniques. Any developer could incorporate this vulnerability into an application, whether intentionally or through compromised app store accounts.
Google has been notified of this vulnerability through responsible disclosure channels. Users should update Google Messages to the latest available version when patches become available.
Additionally, Wear OS users should exercise caution when installing applications and review app permissions carefully, even though this particular vulnerability bypasses standard permission requirements.
Security-conscious users should consider alternative messaging applications when available on their Wear OS devices, though options remain limited compared to Android phones.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
