CVE-2016-10137 in R1 HD
Summary
by MITRE
An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper allows any app on the device to read, write, and delete files as the system user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. This allows a third-party app to read, write, and delete the user's sent and received text messages and call log. This allows a third-party app to obtain PII from the user without permission to do so.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/13/2026
The vulnerability identified as CVE-2016-10137 represents a critical privilege escalation flaw affecting BLU R1 HD devices running Shanghai Adups software. This security weakness stems from improper Android permission configuration within the com.adups.fota.sysoper application, which operates with system-level privileges through the android:sharedUserId attribute set to android.uid.system. The vulnerability manifests through the com.adups.fota.sysoper.provider.InfoProvider content provider, which exposes read, write, and delete capabilities to any application on the device, effectively granting unauthorized access to sensitive user data. This flaw directly violates fundamental Android security principles by allowing non-system applications to execute with system-level permissions, creating a dangerous attack surface that compromises the device's integrity and user privacy.
The technical implementation of this vulnerability leverages Android's shared user ID mechanism, where the com.adups.fota.sysoper application is configured to run under the system user context through the android.uid.system shared user ID. This configuration enables the application to access system resources and perform operations that should normally be restricted to system-level processes only. The InfoProvider content provider serves as the attack vector, exposing sensitive data through its exposed interfaces without proper authentication or authorization checks. The vulnerability is particularly concerning because it allows any third-party application to manipulate the device's core data structures, including text messages and call logs, which contain personally identifiable information and sensitive communication data.
The operational impact of this vulnerability extends beyond simple data theft to encompass comprehensive privacy violations and potential identity theft scenarios. Third-party applications can access and modify user communications, including text messages and call logs, which contain sensitive personal information such as financial details, personal relationships, and private communications. This unauthorized access capability directly violates the principle of least privilege and creates opportunities for malicious actors to harvest personal data, conduct surveillance, or perform identity fraud. The vulnerability essentially provides a backdoor into the device's core communication infrastructure, allowing persistent monitoring and data collection without user consent or knowledge.
From a cybersecurity perspective, this vulnerability aligns with CWE-276, which addresses improper privileges, and represents a classic example of privilege escalation through improper Android manifest configuration. The flaw also maps to ATT&CK technique T1059, which involves executing malicious code through legitimate system processes, and T1070, which covers indicator removal on host systems. The vulnerability demonstrates how third-party software updates can introduce security risks when not properly vetted for privilege escalation potential. Organizations should implement comprehensive mobile device management policies to prevent installation of untrusted applications and regularly audit device configurations to identify similar privilege escalation vulnerabilities. The remediation approach requires immediate patching of the affected software components and implementation of proper Android permission controls to restrict content provider access to authorized applications only, ensuring that system-level privileges are not unnecessarily granted to third-party applications.