CVE-2016-10138

Name of the Vulnerable Software and Affected Versions BLU Advance 5.0 BLU R1 HD with Shanghai Adups software

Description An issue was discovered in the com.adups.fota.sysoper app, which is installed as a system app and cannot be disabled by the user. The app executes as the system user due to the android:sharedUserId attribute set to android.uid.system in its AndroidManifest.xml file. This allows any app on the device to interact with the exported broadcast receiver named com.adups.fota.sysoper.WriteCommandReceiver, which can execute commands as the system user. A third-party app can utilize this receiver to perform various actions, including calling a phone number, factory resetting the device, taking screenshots, recording the screen, installing applications, injecting events, and obtaining the Android log. Additionally, the com.adups.fota.sysoper.TaskService component makes a request to http://rebootv5.adsunflower.com/ps/fetch.do, where commands received from the server are executed as the system user, making it vulnerable to a man-in-the-middle (MITM) attack due to the use of HTTP.

Recommendations For BLU Advance 5.0 and BLU R1 HD devices with Shanghai Adups software, consider disabling the com.adups.fota.sysoper app or restricting its functionality to minimize the risk of exploitation until a patch is available. As a temporary workaround, restrict access to the com.adups.fota.sysoper.WriteCommandReceiver component to prevent unauthorized interactions. Avoid using the com.adups.fota.sysoper.TaskService component until the issue is resolved, as it may execute malicious commands received from the server.