CVE-2016-10137

Name of the Vulnerable Software and Affected Versions BLU R1 HD devices with Shanghai Adups software

Description An issue allows any app on the device to read, write, and delete files as the system user due to the content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper. This app executes as the system user because it sets the android:sharedUserId attribute to android.uid.system in its AndroidManifest.xml file. As a result, a third-party app can access the user's sent and received text messages and call log, obtaining personally identifiable information (PII) without permission.

Recommendations For BLU R1 HD devices with Shanghai Adups software, consider disabling the com.adups.fota.sysoper app or restricting its access to sensitive data until a fix is available. Avoid using the com.adups.fota.sysoper.provider.InfoProvider content provider in other apps to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.