CVE-2016-10136

Name of the Vulnerable Software and Affected Versions BLU R1 HD devices with Shanghai Adups software

Description An issue allows any app on the device to read, write, and delete files as the system user due to a content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper. This app executes as the system user because it sets the android:sharedUserId attribute to android.uid.system in its AndroidManifest.xml file. A third-party app can exploit this to modify the /data/system/users/0/settings secure.xml file, adding itself as a notification listener to receive notification text. It can also read the /data/system/users/0/accounts.db file, which contains authentication tokens for various accounts on the device, allowing the app to obtain privileged information and modify files for more privileges.

Recommendations For BLU R1 HD devices with Shanghai Adups software, consider disabling the com.adups.fota.sysoper app or restricting its access to sensitive files and data until a patch is available. Avoid using the com.adups.fota.sysoper.provider.InfoProvider content provider in other apps to minimize the risk of exploitation. Restrict access to the /data/system/users/0/settings secure.xml and /data/system/users/0/accounts.db files to prevent unauthorized modifications and data breaches. At the moment, there is no information about a newer version that contains a fix for this vulnerability.