CVE-2016-10138 in Advance
Summary
by MITRE
An issue was discovered on BLU Advance 5.0 and BLU R1 HD devices with Shanghai Adups software. The com.adups.fota.sysoper app is installed as a system app and cannot be disabled by the user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. The app has an exported broadcast receiver named com.adups.fota.sysoper.WriteCommandReceiver which any app on the device can interact with. Therefore, any app can send a command embedded in an intent which will be executed by the WriteCommandReceiver component which is executing as the system user. The third-party app, utilizing the WriteCommandReceiver, can perform the following actions: call a phone number, factory reset the device, take pictures of the screen, record the screen in a video, install applications, inject events, obtain the Android log, and others. In addition, the com.adups.fota.sysoper.TaskService component will make a request to a URL of http://rebootv5.adsunflower.com/ps/fetch.do where the commands in the String array with a key of sf in the JSON Object sent back by the server will be executed as the system user. Since the connection is made via HTTP, it is vulnerable to a MITM attack.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/13/2026
This vulnerability exists in BLU Advance 5.0 and BLU R1 HD devices running Shanghai Adups software where the com.adups.fota.sysoper application is installed as a system-level component with elevated privileges. The core technical flaw stems from the AndroidManifest.xml configuration that assigns the android:sharedUserId attribute with the value android.uid.system, which effectively elevates the application's execution context to that of the system user. This privileged execution context creates a critical security exposure since the system user possesses extensive device permissions and capabilities that normal applications should not have access to. The vulnerability is further exacerbated by the presence of an exported broadcast receiver component named com.adups.fota.sysoper.WriteCommandReceiver which is accessible to any application on the device without restriction.
The operational impact of this vulnerability is severe as it allows any third-party application to execute privileged commands through the WriteCommandReceiver component. This receiver can be triggered by sending specially crafted intents containing commands that will be executed with system-level privileges, enabling attackers to perform critical device operations including initiating phone calls, executing factory resets, capturing screenshots, recording screen activity, installing malicious applications, injecting input events, and accessing Android system logs. The threat is compounded by the com.adups.fota.sysoper.TaskService component which establishes an automated communication channel with the malicious server at http://rebootv5.adsunflower.com/ps/fetch.do, where it retrieves command instructions from a JSON response structure. These commands are extracted from a String array associated with the key sf within the JSON object and executed with system privileges, creating a persistent backdoor mechanism that can be remotely controlled.
The vulnerability represents a clear violation of the principle of least privilege and demonstrates a dangerous configuration where system-level components are exposed to arbitrary applications without proper authorization checks. This configuration aligns with CWE-276, which addresses improper privilege management, and specifically relates to CWE-732, which deals with incorrect permissions for a resource. The use of unencrypted HTTP communication for command retrieval introduces additional attack surface as identified in CWE-319, which covers cleartext transmission of sensitive information. From an ATT&CK framework perspective, this vulnerability enables techniques such as T1059.001 for command and scripting interpreter execution, T1068 for local privilege escalation, and T1547.001 for registry run keys and startup folder. The attack vector is particularly dangerous because it leverages a legitimate system application to create a persistent threat that can be activated by any app, effectively bypassing normal Android security boundaries and creating a remote code execution capability at the system level. The lack of proper authentication mechanisms and the automatic execution of commands from a remote server creates a sophisticated attack scenario that can be exploited by malware distributed through various channels, potentially leading to complete device compromise and data exfiltration.
The primary mitigation strategies should focus on removing or disabling the vulnerable system application, implementing proper application sandboxing, and enforcing secure communication protocols. Organizations should conduct thorough device security audits to identify and remove similar vulnerable applications, implement network-level security controls to detect and prevent communication with malicious servers, and ensure that all device communications use encrypted channels such as HTTPS. Additionally, device manufacturers should implement proper privilege management in their system applications and avoid exposing system-level components to arbitrary applications without proper authorization checks. This vulnerability highlights the importance of secure application development practices and the need for comprehensive security testing of system-level components before deployment, particularly in mobile environments where the attack surface is already limited by the platform's security model.