CVE-2016-10139 in R1 HD
Summary
by MITRE
An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The two package names involved in the exfiltration are com.adups.fota and com.adups.fota.sysoper. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. Therefore, the app executing as the system user has been granted a number of powerful permissions even though they are not present in the com.adups.fota.sysoper app's AndroidManifest.xml file. This app provides the com.adups.fota app access to the user's call log, text messages, and various device identifiers through the com.adups.fota.sysoper.provider.InfoProvider component. The com.adups.fota app uses timestamps when it runs and is eligible to exfiltrate the user's PII every 72 hours. If 72 hours have passed since the value of the timestamp, then the exfiltration will be triggered by the user plugging in the device to charge or when they leave or enter a wireless network. The exfiltration occurs in the background without any user interaction.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/13/2026
The vulnerability described in CVE-2016-10139 represents a critical privilege escalation issue affecting BLU R1 HD devices running Shanghai Adups software. This flaw demonstrates how malicious actors can leverage system-level privileges to access sensitive user data without explicit user consent or knowledge. The vulnerability specifically targets the Android operating system's permission model and user isolation mechanisms, creating a backdoor that operates at the system level while remaining undetectable to typical user security measures.
The technical implementation of this vulnerability relies on a sophisticated abuse of Android's shared user ID mechanism through the com.adups.fota.sysoper application component. By setting the android:sharedUserId attribute to android.uid.system, the malicious application gains elevated privileges that should normally be restricted to system-level applications only. This configuration allows the application to execute with system-level permissions despite not having explicit declarations for these capabilities in its manifest file. The underlying security principle violated here is the principle of least privilege, where applications should only have the minimum permissions necessary for their operation. This vulnerability directly maps to CWE-276, which addresses improper privilege management, and represents a classic example of how Android's permission system can be subverted through legitimate but misused system-level features.
The operational impact of this vulnerability extends far beyond simple data collection, as it enables comprehensive user surveillance through access to call logs, text messages, and device identifiers. The InfoProvider component serves as a data exfiltration conduit that bridges the gap between the privileged system application and the less privileged com.adups.fota application, creating a sophisticated data harvesting mechanism. The timing mechanism implemented through timestamp-based triggers demonstrates a well-designed persistence strategy that ensures regular data collection without user interaction. The exfiltration occurs during routine device activities such as charging or network state changes, making detection extremely difficult for end users who may not notice the data transfer activities. This approach aligns with ATT&CK technique T1071.004 for application layer protocols and T1059.001 for command and scripting interpreter, as it leverages legitimate system interfaces for malicious data collection purposes.
The background operation of this vulnerability without user interaction represents a significant threat to user privacy and device security. The 72-hour polling interval combined with trigger-based activation ensures continuous monitoring while maintaining operational stealth. This design pattern demonstrates how threat actors can create persistent surveillance capabilities that operate below the radar of standard security tools and user awareness. The vulnerability affects not just individual user privacy but also represents a potential vector for broader security compromise, as device identifiers and communication patterns can be used for targeted attacks or identity theft. The implementation of this vulnerability shows sophisticated understanding of Android security architecture and demonstrates how legitimate system-level permissions can be abused to create persistent surveillance capabilities. The attack surface is particularly concerning because it operates at the system level and can bypass many traditional mobile security controls and user permission prompts that would normally prevent such data access.