Yet another android vulnerability which I found on Xiaomi: giant mobile manufacturer company.
Summary: There inbuilt SMS is an application pre-installed on those devices. The application is built with feature which sync in to cloud using webview through application’s sandbox.
This application can also be launched from the browser and have its WebView directed to load an arbitrary URL and allow access to local file system, read local resources and access network resources.