CVE-2016-10136 in R1 HD
Summary
by MITRE
An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper allows any app on the device to read, write, and delete files as the system user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. This allows a third-party app to read, write, and delete files owned by the system user. The third-party app can modify the /data/system/users/0/settings_secure.xml file to add an app as a notification listener to be able to receive the text of notifications as they are received on the device. This also allows the /data/system/users/0/accounts.db to be read which contains authentication tokens for various accounts on the device. The third-party app can obtain privileged information and also modify files to obtain more privileges on the device.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/13/2026
The vulnerability identified as CVE-2016-10136 represents a critical privilege escalation flaw affecting BLU R1 HD devices running Shanghai Adups software. This security weakness stems from improper Android permission modeling within the com.adups.fota.sysoper application, which operates with system-level privileges due to its shared user ID configuration. The vulnerability manifests through a content provider named InfoProvider that lacks proper access controls, allowing any application on the device to perform read, write, and delete operations with system-level permissions. This fundamental flaw directly violates the principle of least privilege and creates an attack surface that enables malicious applications to gain unauthorized access to sensitive system resources.
The technical implementation of this vulnerability leverages the android:sharedUserId attribute set to android.uid.system in the AndroidManifest.xml file, which effectively elevates the application's execution context to that of the system user. This configuration transforms what should be a restricted system service into a potential entry point for arbitrary file system manipulation. The content provider's exposed interface creates a direct pathway for privilege escalation attacks, as demonstrated by the ability to modify critical system files such as /data/system/users/0/settings_secure.xml and /data/system/users/0/accounts.db. These files contain sensitive information including notification listener configurations and authentication tokens that provide attackers with persistent access to device functionality and user credentials.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass full system compromise capabilities. Attackers can exploit this weakness to install notification listeners that capture sensitive text content from notifications in real-time, effectively creating a persistent surveillance mechanism. The ability to read the accounts.db file provides access to authentication tokens for various online services, potentially enabling credential theft and account takeover scenarios. Furthermore, the vulnerability allows for file system modifications that can escalate privileges beyond the initial compromise, creating persistent backdoors or enabling additional attack vectors. This represents a classic example of a privilege escalation vulnerability that can be exploited by any application with basic installation permissions, making it particularly dangerous in environments where users may unknowingly install malicious applications.
Security mitigations for this vulnerability must address both the immediate exposure and underlying architectural issues. The primary remediation involves removing or properly restricting access controls on the InfoProvider content provider within the com.adups.fota.sysoper application. This requires implementing proper permission checks and ensuring that only authorized system components can access sensitive data. The shared user ID configuration should be re-evaluated and potentially removed if it is not essential for the application's core functionality. Additionally, device manufacturers should implement runtime monitoring to detect unauthorized modifications to system files and establish proper access control policies that align with the principle of least privilege. This vulnerability demonstrates the importance of secure coding practices and proper permission modeling in mobile applications, as highlighted by CWE-276 which addresses improper file permissions and CWE-732 which deals with incorrect permissions for critical resources. The attack patterns associated with this vulnerability align with ATT&CK techniques such as privilege escalation through shared libraries and persistence mechanisms, emphasizing the need for comprehensive mobile security frameworks that can detect and prevent such exploits.