Your OnePlus Phone Can Be Hacked: A Secret App Can Read All Your Texts Without Permission

-

 


Your OnePlus Phone Can Be Hacked: A Secret App Can Read All Your Texts Without Permission

By CyberDudeBivash • 2025 Edition

A misbehaving app, privileged OEM features, or supply-chain code can expose SMS and private messages. Here’s what we know, how the threat works in high-level terms, and — most importantly — how you can protect your data now.

Disclosure: This article contains affiliate links. CyberDudeBivash may earn a commission if you purchase via these links at no extra cost to you. We recommend only trusted security training and tools.

Resources to Protect Mobile Devices & Teams

Breaking: researchers and incident reports over the last months have revealed campaigns and misconfigurations that allow mobile apps — including apps preinstalled or pushed via third-party services — to access SMS content, OTPs, and message stores on Android devices from certain OEMs. OnePlus users have reported suspicious behavior in specific models and firmware versions where a privileged app or an over-permissive update component reads SMS or intercepts notifications.

Before panic sets in: not every OnePlus device is affected. These issues typically involve one or more of the following high-level factors:

  • Privileged system apps with excessive permissions or debugging interfaces.
  • Third-party update channels or vendor services that include components with wide access (SMS, notifications, accessibility API).
  • Malicious apps distributed via side-loading or SEO-poisoned store pages that request broad permissions and social-engineer users into granting them.
  • Misconfigured MDM or enterprise profiles that inadvertently grant apps access to message content.

This CyberDudeBivash report is an authoritative, defensive guide. We’ll explain background, how attackers get to SMS/notifications in broad, non-actionable terms, what signals defenders should hunt for, and practical mitigation steps for users and enterprise security teams.

Scope — Who’s Affected & What’s At Risk

Who might be affected?

  • OnePlus users on certain models and firmware revisions where a vendor component or preinstalled app has been reported as over-privileged.
  • Users who side-load apps from untrusted sources or follow social-engineered installation instructions.
  • Organizations with lax MDM configurations that permit third-party apps broad access to notifications or SMS on corporate devices.

What data is at risk?

  • SMS messages and one-time passwords (OTPs).
  • Notification contents (which can include 2FA codes, banking alerts, message previews).
  • Stored credentials exposed by autofill or accessible apps.
  • Potential downstream account takeover if OTPs or session tokens are captured.

Severity is contextual. A single intercepted OTP could enable account takeover; widespread stealthy access across many devices could lead to large-scale fraud, SIM swap assistance, or identity theft. That’s why rapid detection and containment matter.

Background: Android Security, OEM Apps & OnePlus Ecosystem

Android uses a permission system and a sandboxing model for apps. However, device manufacturers often preinstall system apps with elevated privileges. Those apps can have access to SMS, call logs, notifications, and other sensitive APIs if the OEM grants them system permissions or if they are signed with the device platform key.

Over the years, several security incidents have involved:

  • Preinstalled vendor apps exposing interfaces (Intents, debug ports, or broadcast receivers) that could be abused by apps with lesser privileges.
  • Update mechanisms that fetch third-party modules without strong code signing or integrity checks.
  • Accessibility services — designed to help users with disabilities — being misused by malware to access screen content and read notifications.

OnePlus, like other OEMs, bundles services intended for OTA updates, backup/restore, and device-specific features. If one of those components is misconfigured, or if a third party supplying code to the vendor introduces a bug or malicious module, a “secret app” with wide access can appear on devices — sometimes without obvious UI presence. Responsible vendors will patch quickly once made aware; however, attackers and opportunistic actors move fast.

High-Level: How a "Secret App" Can Read Texts (Defender View)

To be explicit and safe: we will not provide exploit instructions. Instead, here are non-actionable, high-level paths attackers use to obtain SMS/notifications — framed for defenders so they can detect and mitigate them.

  1. Preinstalled System App Misconfiguration
    Some system apps are granted platform or system privileges. If such an app exposes an Intent or a content provider without proper permission checks, another app on the device (even without SMS permission) might query that provider and retrieve message data — or trigger behaviors that route messages to a component that does. Defenders should monitor for unexpected content provider queries to system packages.
  2. Accessibility Abuse
    The Android Accessibility API provides powerful hooks into device UI and notifications for legitimate assistive use. Malicious apps can request accessibility privileges and then read notification text and paste into remote exfiltration flows. Detection is often possible by scrutinizing which packages have AccessibilityService enabled and correlating that with unexpected network activity.
  3. Notification Listener Abuse
    Apps can request the NotificationListenerService permission to read and act on notifications. A compromised or malicious listener with network access can capture OTPs and message contents. Enterprises should monitor for unapproved notification listeners and limit which packages can hold this permission via MDM policies.
  4. Compromised Update Module / Third-Party SDK
    If a vendor’s update agent or a third-party SDK injected into system apps is compromised, it may install or activate components capable of reading messages. Code integrity checks and signed updates are critical to defend against supply-chain scenarios.
  5. Side-loaded Malware Requesting SMS/Notification Permissions
    Social engineering may trick users to grant SMS, contacts, or notification access to a side-loaded app. While this is not an OEM bug, the practical outcome is identical. Educating users and enforcing side-load restrictions reduces exposure.

Key defender principle: attackers aim to create an indistinguishable stream of “normal” activity. To counter that, security teams should look for subtle contextual anomalies: new packages requesting unusually broad permissions, notification listeners that appear without user intent, or background processes making network connections shortly after SMS-related events.

Early Indicators & Telemetry to Watch (Useful for SOCs & MDM Admins)

Below are practical signals to hunt for. These are defensive indicators — not exploit guidance.

  • New System-signed Packages Appearing — Detect the addition of packages signed with platform keys or system signatures that were not part of factory images.
  • NotificationListenerService Registrations — List devices with new active notification listeners; flag those that are not enterprise-approved.
  • AccessibilityService Enabled — Monitor which apps are granted Accessibility privileges and correlate with recent installs or updates.
  • Unexpected Content Provider Activity — Alert on third-party apps querying system package content providers that normally receive only system traffic.
  • Network Connections Following SMS Events — Correlate SMS receipt events (if available in logs) with immediate outbound connections to unknown hosts.
  • Unusual Use of System APIs — Track rare API invocations from user apps that normally only system apps use.
  • MDM Policy Changes — Alert when MDM pushes add permissions or remove restrictions unexpectedly.

These signals can be surfaced via mobile endpoint logs, MDM telemetry, mobile threat defense (MTD) tools, or specialized mobile telemetry collectors. For consumer users, some indicators are visible in settings (e.g., which apps have notification access or Accessibility enabled) and should be periodically reviewed.

Immediate Actions — What Every OnePlus User Should Do Right Now

If you are concerned about this issue, follow these high-impact, low-risk steps immediately:

  1. Check Notification Access: Settings → Apps & notifications → Special app access → Notification access. Revoke access for any app you don’t explicitly trust.
  2. Check Accessibility Permissions: Settings → Accessibility. Revoke any accessibility service you don’t recognize or that you didn’t explicitly enable for accessibility reasons.
  3. Review Installed Apps: Settings → Apps. Look for unknown or previously unnoticed packages — especially system-like names. If you find suspicious apps, take a screenshot and consult support or security teams before removing if the device is enterprise managed.
  4. Disable Side-Loading (If Possible): In Developer options or Settings, ensure “Install unknown apps” is disabled for non-trusted sources, and avoid downloading APKs from random websites.
  5. Update System & Apps: Apply the latest official OnePlus OTA updates (only via official channels) and update Play Store apps. Vendors often release fixes quickly once issues are reported.
  6. Enable Device Encryption & Screen Lock: Protect your device with a strong PIN/biometric and ensure FileVault-like device encryption is enabled (default on modern Android devices).
  7. Reset if Necessary: If you find a hidden app with suspicious behavior and can’t safely remove it, back up your data and perform a factory reset from a known-good backup image. Reinstall apps only from Google Play or vendor stores after the reset.
  8. Rotate 2FA / OTP-based Credentials: After cleanup, rotate critical passwords and, if possible, migrate to phishing-resistant 2FA (hardware keys or FIDO2 authenticators) instead of SMS OTPs.
Quick protection tip: Move critical accounts away from SMS 2FA to an authenticator or a hardware security key. Also consider training via EDUREKA’s Mobile & Identity Security Courses.

Enterprise Response — MDM, Detection & Hunting Playbook (High Level)

For enterprise security and MDM teams, rapid, coordinated response is essential. Below is a high-level playbook CyberDudeBivash recommends:

Step 0 — Triage & Scope

  • Ingest reports of suspicious packages or user complaints into the incident ticketing system.
  • Use MDM to quickly enumerate devices by model, firmware, and package inventory.

Step 1 — Containment

  • Use MDM to block app installs on affected groups and quarantine high-risk devices.
  • Disable notification listener and accessibility for unapproved apps via policy.

Step 2 — Detection & Hunt

  • Hunt for new apps installed in the last 30 days with system-like names or odd signatures.
  • Correlate telemetry: MDM logs + network proxies + mobile threat defense (MTD) alerts.
  • Search for outbound connections from devices immediately after SMS/notification events.

Step 3 — Eradication & Remediation

  • Remediate affected devices via forced uninstall or remote wipe where required.
  • Push official vendor updates and ensure code signatures match vendor keys.
  • Rotate critical credentials and revoke sessions for compromised users.

Step 4 — Lessons Learned

  • Review vendor supply chain and update policies for third-party code inclusion.
  • Update MDM policies to restrict notification and accessibility permissions by default.
  • Conduct mobile threat exercises and tabletop simulations with the SOC.

Up Next → In Part 2 I will deliver deep case studies, detection engineering rules for SIEM (non-executable defensive queries), expanded hunting playbooks, and more detailed enterprise mitigation patterns. After that, Part 3 will cover SOC runbooks, user communications templates, FAQ, affiliate CTA, and the FAQ schema. Shall I continue automatically with Part 2 now? (I will — unless you say stop.)

Case Studies — SMS/Notification Access Abuse in Android Ecosystem

The OnePlus SMS/notification issue is not a one-off anomaly. History shows multiple Android security lapses involving over-privileged or hidden apps. Here are notable examples:

Case Study 1 — Xiaomi Preinstalled App Exposure (2020)

Researchers found a preinstalled Xiaomi “Analytics” app that had wide-ranging permissions, including SMS access. Though intended for telemetry, improper controls made it abusable. This highlighted the risk of vendor-signed system apps.

Case Study 2 — Samsung Clipboard & Accessibility (2019)

Samsung Galaxy devices exposed sensitive clipboard data to apps via accessibility features. Malicious apps with accessibility enabled could silently read messages and passwords copied by users.

Case Study 3 — OnePlus Engineer Mode App (2017)

OnePlus devices were found to ship with a hidden “EngineerMode” app, which granted root-like access via ADB. While not SMS-focused, it revealed a pattern of vendor utilities creating unintended backdoors.

Case Study 4 — Joker Malware Campaign (2019–2022)

Dozens of Android apps infected with Joker malware bypassed Play Store checks and harvested SMS and notification data for premium service fraud. The persistence of Joker highlighted systemic challenges.

Takeaway: Preinstalled apps, accessibility abuse, and supply-chain code inclusions create recurring opportunities for attackers to silently exfiltrate messages. The OnePlus revelations fit into this larger pattern.

Detection Engineering — Defender-Focused Hunting Rules

SOCs and MDM admins can’t just rely on vendor patches. They must proactively hunt for SMS/notification data exfiltration. Below are defensive-only, non-executable ideas framed as SIEM/EDR queries and MDM checks:

  • Query 1 — Accessibility Misuse
    Alert when a non-whitelisted app enables AccessibilityService within 24h of install.
  • Query 2 — Notification Listener Surge
    List new NotificationListenerService registrations across fleet weekly. Flag any not on the approved baseline.
  • Query 3 — Outbound Connections After SMS Receipt
    Correlate network telemetry to detect devices making outbound HTTPS connections seconds after SMS receipt events (if logs available).
  • Query 4 — System Package Integrity
    Compare package signatures and hashes of system apps across fleet vs factory images. Alert on drift.
  • Query 5 — Over-Permissioned Apps
    Enumerate apps with both SMS and INTERNET permissions. Rank by install source. Review anomalies.

These rules do not provide attacker tradecraft but give SOCs actionable starting points to identify suspicious SMS access patterns.

Enterprise Mobile Security Playbooks

Playbook 1 — Preventive MDM Configuration

  • Block side-loading entirely for enterprise devices.
  • Pre-approve a whitelist of notification and accessibility apps.
  • Force vendor updates within 7 days of release.
  • Enforce encryption and secure lock screens.

Playbook 2 — Detection & Monitoring

  • Enable mobile threat defense (MTD) agents for real-time telemetry.
  • Correlate mobile events with corporate SIEM (Splunk, ELK, Sentinel).
  • Establish “golden images” of OnePlus devices for forensic baseline.

Playbook 3 — Incident Response

  • On detection, isolate affected device via MDM quarantine.
  • Communicate with user: reset credentials and revoke sessions.
  • Escalate to vendor support for patch ETA.
  • Conduct forensic analysis to validate if SMS were exfiltrated.
Recommended Actions: Train your SOC with EDUREKA Mobile Threat Defense Training, deploy fleet visibility via AliExpress WW hardware probes, scale MDM/SIEM integration through Alibaba WW enterprise mobility tools, and protect endpoints with Kaspersky Mobile Endpoint Security.

Up Next → In Part 3, I’ll finalize with: SOC runbooks, comms templates, extended FAQ, CTA section with CyberDudeBivash services, and the JSON-LD schema block for SEO. That will complete the full 12,000+ word authority post.

SOC Runbook — Responding to Hidden App SMS/Notification Threats

SOCs need structured playbooks to respond quickly when SMS/notification leaks are suspected. Below is a CyberDudeBivash reference runbook:

Step 1 — Detection

  • Ingest mobile endpoint alerts showing abnormal notification listener/Accessibility registration.
  • Correlate with DNS logs for unusual domains contacted immediately after SMS events.
  • Validate device firmware versions against known vulnerable OnePlus releases.

Step 2 — Triage

  • Scope: Which users and which device models are affected?
  • Impact: Were OTPs or sensitive notifications accessed and exfiltrated?

Step 3 — Containment

  • MDM quarantine affected devices.
  • Block network destinations associated with suspicious apps.

Step 4 — Eradication

  • Force uninstall suspicious apps or perform factory reset if persistence suspected.
  • Apply latest vendor OTA updates and verify code signature integrity.

Step 5 — Recovery

  • Revoke sessions and reset credentials for affected accounts.
  • Educate users on avoiding sideloaded apps and reviewing notification/Accessibility permissions.

Step 6 — Lessons Learned

  • Update mobile security baseline and detection queries.
  • Reassess vendor risk: demand stronger transparency from OEMs on system app permissions.

User & Stakeholder Communications Template

Internal Memo to Staff:

We have identified a risk in certain OnePlus devices where hidden or over-privileged apps may read SMS and notification data. While not all devices are impacted, we are applying precautionary measures. Please ensure your device is updated, review app permissions, and avoid side-loading apps. If you receive a quarantine notice via MDM, follow IT instructions for reset and remediation. — CyberDudeBivash SOC

Customer Advisory (Public Blog Post):

CyberDudeBivash is actively monitoring vulnerabilities in OnePlus devices where a hidden or misconfigured app can read messages without permission. We advise all OnePlus users to immediately update their devices, review accessibility and notification permissions, and rotate OTP-protected credentials. Enterprises should enforce MDM restrictions to prevent exploitation at scale.

FAQ — OnePlus SMS/Notification Access Threat

Q1. Is every OnePlus device affected?

No. The issue appears linked to certain firmware versions or preinstalled apps. Many devices are unaffected if fully updated.

Q2. How can an app read texts without explicit SMS permission?

Through indirect abuse: accessibility services, notification listeners, or misconfigured system apps signed with vendor keys.

Q3. Can Google Play Protect stop this?

Play Protect can detect known malicious apps, but it cannot always detect over-privileged vendor apps or zero-day exploits.

Q4. Should I switch from SMS OTP to app-based 2FA?

Yes. Migrating to app-based or hardware security key 2FA dramatically reduces exposure.

Q5. What should enterprises do today?

Use MDM to restrict notification and Accessibility permissions, block side-loading, and push latest firmware updates.

Protect your organization: Enroll in EDUREKA Mobile Security Programs, deploy mobile visibility sensors from AliExpress WW, scale MDM/MTD with Alibaba WW, and shield endpoints with Kaspersky Mobile Endpoint Security.

CyberDudeBivash Services — Mobile & OEM Threat Defense

Stay Ahead of OEM Mobile Threats

CyberDudeBivash provides mobile forensics, MDM configuration audits, SOC playbook development, and training for enterprises defending against hidden app threats.

Partner with us → cyberdudebivash.com

Affiliate Security Resources

#CyberDudeBivash #OnePlus #AndroidSecurity #SMSLeak #NotificationHijack #MobileThreats #CyberSecurity

Comments

Post a Comment

Popular posts from this blog

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

-
Image
  TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...
Read more

Hackers Injecting Malicious Code into GitHub Actions to Steal PyPI Tokens CyberDudeBivash — Threat Brief & Defensive Playbook

-
Image
  SUMMARY  Attackers are modifying GitHub Actions workflows (via compromised accounts, malicious PRs, or forged commits) to add steps that exfiltrate PyPI (or other package registry) publishing tokens. With those tokens they publish backdoored packages or download private packages — a supply-chain multiplier. Defend by eliminating long-lived secrets, switching to OIDC/ephemeral credentials, hardening workflow controls, monitoring workflow changes and secret usage, and rotating tokens immediately if you suspect compromise. How attackers typically operate  Gain write access to repo or CI/CD config (via compromised developer account, stolen token, privilege abuse, or merge of malicious PR). Modify or add a workflow file that runs in the repo’s runner context (self-hosted or GitHub-hosted). Add steps that read repository secrets (e.g., PYPI_TOKEN ) or create credentials files ( ~/.pypirc ), then send the token to attacker-controlled endpoints or push a malicious p...
Read more

Exchange Hybrid Warning: CVE-2025-53786 can cascade into domain compromise (on-prem ↔ M365) By CyberDudeBivash — Cybersecurity & AI

-
Image
  Executive summary CVE-2025-53786 is a post-authentication elevation of privilege in Microsoft Exchange hybrid deployments . If an attacker first gains admin on an on-prem Exchange server , they can abuse the legacy “shared service principal” trust used by Hybrid Configuration to escalate into Exchange Online —potentially leading to full cloud+on-prem domain compromise . CISA issued Emergency Directive ED-25-02 with a deadline of 9:00 a.m. EDT on August 11, 2025 for U.S. federal agencies; Microsoft urges all hybrid customers to take the same steps: apply the April 2025 Hotfix Updates , migrate to the dedicated Exchange Hybrid app , and reset/clean up service principal credentials . cisa.gov +1 TECHCOMMUNITY.MICROSOFT.COM +1 Why this is dangerous: actions initiated from the on-prem Exchange side may not show up as obviously malicious in M365 audit trails, making cloud abuse harder to spot if you’ve not modernized the trust. TechRadar What is actually vulnerable? (trust...
Read more