Key Information CVE Number: CVE-2025-12080 Vulnerability Type: Intent Abuse in Google Messages for Wear OS Affected Scope: Google Messages app on Wear OS devices Discoverer: Gabriele Digregorio (Io_no) Report Date: March 13, 2025 Fix Date: May 2025 Vulnerability Details Description: Google Messages contains a misconfiguration when handling specific URI schemes (such as , , , and ), allowing attackers to send messages without the user’s knowledge or authorization. Attack Method: Attackers can exploit this by installing a malicious app that triggers the intent, thereby abusing the vulnerability to send messages. Exploitation Method Prerequisites: The attacker must install an app on the target device capable of automatically triggering the intent. Code Example: Sample Java code snippet provided, demonstrating how to trigger an SMS intent programmatically. Proof of Concept (PoC) Availability: Full PoC is available on GitHub. Test Environment: Pixel Watch 3 running Wear OS (Android 15), Google Messages version 2023.8222.RC09-wear-dynamic. Attack Scenario Potential Threat: Attackers can distribute seemingly legitimate apps that silently send messages to arbitrary recipients without user permission or confirmation, potentially leading to security and financial risks. Disclosure Timeline Reported: March 13, 2025, via Google Mobile Vulnerability Reward Program. Reward: April 1, 2025, awarded $2,568.86. Fixed: May 2025, patch released.