The vulnerability can let installed mobile apps access SMS/MMS data on a OnePlus phone without asking for user permission, creating a pathway to steal two-factor authentication codes.