CVE-2025-12080 — Wear OS Google Messages ACTION_SENDTO Auto‑...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/io-no/CVE-Reports/tree/main/CVE-2025-12080
• Blog Title: CVE-2025-12080 — Wear OS Google Messages ACTION_SENDTO Auto‑Send Enables Silent SMS/MMS/RCS from Any App
• Suggested Section: Mobile Pentesting > Android Security > Intent Spoofing & Abuse (ACTION_SENDTO sms/smsto/mms/mmsto) against default SMS handlers

🎯 Content Summary

Vulnerability: CVE-2025-12080 affects Google Messages on Wear OS when it is the default SMS/MMS/RCS handler. Any installed app can trigger an ACTION_SENDTO intent with sms:/smsto:/mms:/mmsto: URIs and cause Google Messages (Wear) to immediately dispatch a message without showing a compose/confirmation UI and without requiring SEND_SMS or other privileged permissions.

Why it happens (Android intent flow): On A...

🔧 Technical Details

Intent abuse against default SMS handlers on Wear OS: If an app is the default SMS/MMS/RCS handler and mishandles Intent.ACTION_SENDTO for sms:/smsto:/mms:/mmsto: URIs, a non-privileged app can trigger message sending by launching the intent directly. Generic pattern:

val i = Intent(Intent.ACTION_SENDTO, Uri.parse("smsto:+E164"))
i.putExtra("sms_body", "<payload>")
startActivity(i)

Because the caller does not need SEND_SMS, any app (or a Tile/Complication that starts activities) can cause silent dispatch if the target app auto-sends instead of presenting a confirmation UI.

🤖 Agent Actions

I analyzed the repository and found the most relevant place to document this technique is the existing Android Intent Injection page:

• src/mobile-pentesting/android-app-pentesting/intent-injection.md

This page already covers Intent abuse patterns, deep links, and intent redirection, making it the ideal spot to add a concise, technical section on abusing ACTION_SENDTO with sms/smsto/mms/mmsto URIs against default SMS handlers, including the Wear OS auto-send behavior.

What I added:

• A new section: “Abusing ACTION_SENDTO sms/smsto/mms/mmsto against default SMS handlers (Wear OS auto-send)”
  • Explains the abuse pattern and how Android routes ACTION_SENDTO with sms/smsto/mms/mmsto to the default messaging app.
  • Clarifies the secure vs vulnerable behavior (composer UI vs auto-send).
  • Provides minimal Kotlin PoC and an ADB PoC.
  • Lists supported schemes, typical extras (sms_body), and the key fact that the caller does not need SEND_SMS permission.
  • Notes that Wear OS Tiles/Complications can also launch startActivity and trigger the same flow.
  • Outlines impact (silent SMS/MMS/RCS sending).
  • Offers practical hunting tips and test flow.
• Updated the References section to include the blog/PoC link:
  • https://github.com/io-no/CVE-Reports/tree/main/CVE-2025-12080

Changes implemented in one file only:

• Modified src/mobile-pentesting/android-app-pentesting/intent-injection.md to add the new section and reference.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/io-no/CVE-Reports/tree/main/CVE-2025-12080

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting > Android Security > Intent Spoofing & Abuse (ACTION_SENDTO sms/smsto/mms/mmsto) against default SMS handlers".

Repository Maintenance:

• MD Files Formatting: 906 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0