A vulnerability in the Google Messages app for Wear OS has jeopardized the privacy of millions of smartwatch owners, allowing third-party applications to send messages on behalf of users without requesting permissions or confirmation. The issue, identified as CVE-2025-12080, affects devices where Google Messages is configured as the default client for sending SMS, MMS, or RCS communications.
The flaw stems from improper handling of Android Intents—mechanisms that enable one application to request an action from another. In cases involving sensitive operations, such as sending messages via the ACTION_SENDTO intent, the system should prompt the user for confirmation. However, the Wear OS version of Google Messages bypasses this verification step, dispatching messages immediately and thereby violating Android’s core security model.
The vulnerability affects four types of URI schemes—sms:, smsto:, mms:, and mmsto:—which means that a malicious app installed on a smartwatch can silently initiate message transmissions to arbitrary numbers. The app requires no SEND_SMS permission and can trigger message sending either automatically upon launch or through user interactions with interface elements such as buttons, tiles, or widgets.
The danger lies primarily in the vulnerability’s stealthy nature: messages are sent without any notification or visible sign of activity, leaving users unaware of compromise. Evidence of intrusion can only be inferred from indirect indicators. Consequently, an attacker could leverage this flaw to distribute spam, launch phishing campaigns, send messages to premium-rate numbers, or impersonate the victim for social engineering schemes.
The vulnerability was discovered in March 2025 by security researcher Gabriele Digregorio, who responsibly disclosed it through Google’s Mobile VRP program and received a bounty reward. To demonstrate the flaw, Digregorio developed a functional exploit using standard Android programming techniques. Tests confirmed the issue on a Pixel Watch 3 running Wear OS and Android 15.
The situation is further aggravated by the fact that Google Messages comes preinstalled on most smartwatches, and alternatives among third-party messengers are scarce. As a result, the exposure is extensive, and the attack can be executed simply by disguising a malicious app as harmless and distributing it via app stores or other channels.
Google has already been notified of the issue, and users are strongly urged to install updates as soon as they become available. Experts also recommend exercising greater caution when selecting applications and reviewing granted permissions—even though in this case, standard security controls prove ineffective. Where possible, users may consider switching to alternative messaging clients, though options within the Wear OS ecosystem remain limited.