CVE-2016-10139

Name of the Vulnerable Software and Affected Versions BLU R1 HD devices with Shanghai Adups software

Description An issue was discovered that allows for the exfiltration of user data. The com.adups.fota.sysoper app executes as the system user due to its android:sharedUserId attribute being set to android.uid.system, granting it powerful permissions. This app provides the com.adups.fota app access to the user's call log, text messages, and device identifiers through the com.adups.fota.sysoper.provider.InfoProvider component. The exfiltration of personally identifiable information (PII) occurs every 72 hours, triggered by events such as the device being plugged in to charge or when the user leaves or enters a wireless network, all without requiring user interaction.

Recommendations For BLU R1 HD devices with Shanghai Adups software, consider disabling the com.adups.fota.sysoper app to prevent the exfiltration of user data until a fix is available. Additionally, restrict access to the com.adups.fota.sysoper.provider.InfoProvider component to minimize the risk of exploitation. Avoid using the device for sensitive activities until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.