One issue wrt malleability is whether/how one can recognize that a cyphertext or a plaintext is "valid".
If you just xor with a OTP (which means that every cryptotext is valid) and every plaintext is valid, the receiver can't look at the cyphertext or the plaintext and recognize whether a MITM modified the message.
However, the same is true of any crypto system where every cryptotext and plaintext is valid.
However, if there's some way to recognize/distinguish valid plaintext, OTPs are non-malleable.
If you just xor with a OTP (which means that every cryptotext is valid) and every plaintext is valid, the receiver can't look at the cyphertext or the plaintext and recognize whether a MITM modified the message.
However, the same is true of any crypto system where every cryptotext and plaintext is valid.
However, if there's some way to recognize/distinguish valid plaintext, OTPs are non-malleable.