Overview

• Rapid7 reported that a permission-bypass in OxygenOS allows any installed app to access SMS and MMS data without user consent.
• The issue affects OxygenOS versions 12 through 15, with tests confirming impact on the OnePlus 8T and 10 Pro and other models likely affected.
• OnePlus says it has implemented a fix and will begin rolling out a global software update starting in mid-October.
• Researchers trace the flaw to OnePlus’s modifications of Android’s Telephony package, adding exported content providers without proper permissions and exposing potential SQL injection paths.
• There are no confirmed exploitation reports, and users are advised to limit installed apps and switch from SMS-based MFA to authenticator apps until devices are updated.