Security researcher Elliot Alderson seems to have uncovered a new privacy breach in OxygenOS, the default ROM on OnePlus devices. The good news is that it only applies to the latest Oreo beta for the OnePlus 5T. The bad news? Well, just about everything else.
The changelog for OxygenOS Open Beta 2 lists a new clipboard application, which is apparently the source of the suspicious activity. Alderson’s first tweet, in the screen grab above, notes what appears to be a keyword logger, and is connected to a zip file which appears to phone home to TeddyMobile, a Chinese analytics company that also does business with OnePlus’s sister brands Oppo and Vivo. One of the services offered by TeddyMobile is “number verification”, and according to Alderson this clipboard app is sending your phone number and device IMEI directly to TeddyMobile—along with your text messages, even bank account numbers.
OnePlus has yet to publicly respond to any of this. Until they do it’s safe to say that you should not install the latest Oreo beta on your OnePlus 5T. In fact, now would be a great time to look into flashing a custom ROM instead.