ColorOS pregrant dangerous permissions to apps which are listed in a whitelist xml named default-grant-permissions.But some apps in whitelist is not installed, attacker can disguise app with the same package name to obtain dangerous permission.
[
{
"product": "OPPO Android Phone",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OPPO Mobile phones with ColorOS 11 version"
}
]
}
]