Tom Karygiannis

**Name of the Vulnerable Software and Affected Versions** BLU R1 HD devices with Shanghai Adups software **Description** An issue allows any app on the device to read, write, and delete files as the system user due to the content provider named `com.adups.fota.sysoper.provider.InfoProvider` in the app with a package name of `com.adups.fota.sysoper`. This app executes as the system user because it sets the `android:sharedUserId` attribute to `android.uid.system` in its AndroidManifest.xml file. As a result, a third-party app can access the user's sent and received text messages and call log, obtaining personally identifiable information (PII) without permission. **Recommendations** For BLU R1 HD devices with Shanghai Adups software, consider disabling the `com.adups.fota.sysoper` app or restricting its access to sensitive data until a fix is available. Avoid using the `com.adups.fota.sysoper.provider.InfoProvider` content provider in other apps to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** BLU R1 HD devices with Shanghai Adups software **Description** An issue was discovered that allows for the exfiltration of user data. The `com.adups.fota.sysoper` app executes as the system user due to its `android:sharedUserId` attribute being set to `android.uid.system`, granting it powerful permissions. This app provides the `com.adups.fota` app access to the user's call log, text messages, and device identifiers through the `com.adups.fota.sysoper.provider.InfoProvider` component. The exfiltration of personally identifiable information (PII) occurs every 72 hours, triggered by events such as the device being plugged in to charge or when the user leaves or enters a wireless network, all without requiring user interaction. **Recommendations** For BLU R1 HD devices with Shanghai Adups software, consider disabling the `com.adups.fota.sysoper` app to prevent the exfiltration of user data until a fix is available. Additionally, restrict access to the `com.adups.fota.sysoper.provider.InfoProvider` component to minimize the risk of exploitation. Avoid using the device for sensitive activities until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.