If you're reading this on a OnePlus phone, you might want to sit down. These popular Android phones allow third-party apps to peek at your private text messages. Unless you're still running OxygenOS 11, a version of the Android operating system released five years ago, your OnePlus is vulnerable to the vulnerability.
Security company Rapid7 was first to discover the flaw, which relates to changes the OnePlus team made to the Telephony service within Android. In a nutshell, it allowed apps installed on your handset to access SMS data “without permission, user interaction, or consent.”
That means your text messages, including private conversations with friends and family, as well as critical two-factor authentication codes. These are used to ensure that an email address and password alone aren't enough for someone to access your account; they also need access to your phone.
Multiple versions of OnePlus' version of Android, dubbed OxygenOS, have been impacted by the latest vulnerability
|ONEPLUS PRESS OFFICE
It works well, but this vulnerability means that apps lurking on your handset could siphon off these all-important codes, making it an ineffective safeguard.
The worst part? This vulnerability has been lurking on OnePlus devices for years.
It affects OxygenOS versions 12, 13, 14, and 15, which means if you've bought a OnePlus device in the past four years, you're likely at risk.
Rapid7 researchers first alerted OnePlus to the issue back in May 2025. It's taken a while for OnePlus to acknowledge the issue, now tracked as CVE-2025-10184 with a severity score of 8.2 out of 10.
The Shenzhen-based firm has promised a fix will arrive "starting from mid-October," but that still leaves you vulnerable right now. It's been five months since the flaw was spotted within the Android operating system, and your handset remains unprotected.
So what can you do to protect yourself until that update arrives? First, be incredibly picky about which apps you install – stick to well-known publishers you trust with decent reviews on the Google Play Store. Next up, consider ditching SMS-based two-factor authentication altogether.
Next, switch to an authenticator app instead, which is far more secure anyway.
Just don't rely on Microsoft Authenticator, which has slowly been scaling back operations over recent months, including deleting saved passwords. For your everyday chats, move away from text messages.
WhatsApp, Signal, Telegram, and similar messaging services offer better protection for your conversations, since these are standalone systems that are end-to-end encrypted.
Most importantly, keep only the apps you actually need on your phone. Every unnecessary app is another potential risk while this vulnerability remains unfixed. Your OnePlus device might be brilliant value for money, but right now, it's leaving your private messages exposed to anyone clever enough to exploit this flaw.
Our Standards: The GB News Editorial Charter