A critical vulnerability in OnePlus's Android implementation allows malicious apps to access SMS content without permissions or user interaction. Despite seven disclosure attempts by Rapid7 over four months, OnePlus failed to respond, leaving millions of devices exposed. The unpatched flaw enables attackers to reconstruct private messages via SQL injection attacks.