OnePlus phones face critical SMS security flaw – fix arrives in October

OnePlus might be hyping up the arrival of its upcoming OnePlus 15 flagship, but many owners of older devices have a much bigger issue to worry about: a dangerous security flaw that leaves text messages wide open. According to researchers at Rapid7, certain OnePlus smartphones running OxygenOS 12, 14, and even the early builds of 15 contain a critical vulnerability that exposes SMS and MMS content without the user’s knowledge or consent.

In practice, this means that any app installed on the device could potentially snoop on private conversations and metadata without asking for permission.

The flaw, tracked as CVE-2025-10184, originates from custom changes OnePlus made to the Android Telephony service. These tweaks, intended to modify how messaging works on OxygenOS, inadvertently broke one of Android’s most fundamental protections. Rapid7 says they tried multiple times to warn OnePlus about the issue long before going public, but the company initially stayed silent. Only after the disclosure appeared online did OnePlus confirm that the flaw is real.

In an official statement, OnePlus acknowledged the problem and promised that a patch will begin rolling out worldwide in mid-October 2025. The company emphasized that it remains “committed to protecting customer data and continuing to prioritize security improvements.” That’s reassuring, but many users have pointed out the worrying delay between the initial report and the company’s action. In an industry where competitors like Samsung and Apple often rush emergency patches within days of a discovery, months of silence looks like a serious misstep.

So what can you do in the meantime? Security experts suggest several precautions. Stick to apps downloaded from the Play Store or other trusted sources, and delete anything you don’t really need. Move sensitive chats to encrypted messaging services such as Signal or WhatsApp (though even these apps are not immune, as iPhone 16 owners recently learned from a separate WhatsApp vulnerability). And when it comes to two-factor authentication, it’s better to use an authenticator app rather than relying on SMS codes, which are easier to intercept in general.

It’s also worth remembering that these practices apply beyond OnePlus devices. Samsung’s Galaxy S25 faced its own messaging security hole not long ago, and iOS has had its share of emergency fixes too. Cybersecurity is a moving target, and no platform is untouchable. That’s why experts stress simple habits like keeping your device updated, applying patches promptly, and avoiding shady downloads or suspicious websites. These habits may sound obvious, but they’re the easiest way to protect your data from being caught in the crossfire of the next big exploit.

For OnePlus users, the patch can’t come soon enough. Until it lands, the safest path is to treat SMS as inherently insecure and adjust your digital habits accordingly. The incident serves as a reminder that even flashy flagship brands can stumble when it comes to fundamentals, and that user vigilance often makes the difference between staying safe or getting burned by a security lapse.