I was today years old when I got to know that there is a way to auto detect OTP sent via SMS with SMS READ permission. WTF!!

SMS messages can be read by apps that can read SMS. A great tautology ;)

I'm not sure were your security bug lies, and if targeting Android, your app shouldn't pass the play store verification if you solely use the SMS permission for that purpose.

Also there are multiple permissions for sms. I think the most restrictive one had to have some code at the beginning of the sms saying its for your app and you can read only those. Its a lot harder to get to play store with the less restrictive ones.

@24th-Dragon Do you mean https://developers.google.com/ident... ?
It is a functionality of Google Play Services apps can use.

Yea, exactly that

@sbiewald there was a typo.
It should've read. without* SMS READ permission