PatchSiren cyber security CVE debrief
CVE-2016-10136 Adups CVE debrief
CVE-2016-10136 is a local Android privilege and data exposure issue in Adups FOTA software seen on BLU R1 HD devices with Shanghai Adups software. NVD describes a content provider in com.adups.fota.sysoper that allows any app on the device to read, write, and delete files as the system user. That can expose sensitive data and let an attacker alter system-owned settings, including notification-listener configuration and account token storage.
- Vendor
- Adups
- Product
- CVE-2016-10136
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-13
- Advisory updated
- 2026-05-13
Who should care
Mobile security teams, OEMs, device fleet administrators, MDM operators, and app reviewers responsible for Android devices that may include Adups FOTA components should treat this as a high-priority local privilege-escalation and data-exposure issue.
Technical summary
The supplied NVD record states that com.adups.fota.sysoper.provider.InfoProvider permits arbitrary app access to files as the system user because the app runs with android.uid.system. The record specifically notes potential access to /data/system/users/0/settings_secure.xml, which could be used to alter notification-listener settings, and /data/system/users/0/accounts.db, which may contain authentication tokens. The affected CPE in the record is adups:adups_fota, and NVD assigns CVSS v3.0 7.8 High with AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
High. This is a locally exploitable issue that can expose secrets and enable unauthorized modification of privileged device state.
Recommended defensive actions
- Identify whether any deployed Android devices include Adups FOTA components or the affected com.adups.fota.sysoper package.
- Prioritize removal, replacement, or vendor patching of the vulnerable Adups software on exposed devices.
- Restrict installation of untrusted third-party apps on impacted devices, since the issue is triggered locally by an app on the device.
- Review device baselines for unexpected notification-listener changes and other privileged settings drift.
- Treat authentication tokens and other account material on potentially affected devices as sensitive and rotate or invalidate credentials if compromise is suspected.
- Monitor vendor and OEM guidance for firmware or software updates tied to the affected Adups package.
Evidence notes
The debrief is based on the supplied NVD record, which describes arbitrary file access through com.adups.fota.sysoper.provider.InfoProvider and highlights the system-user context created by android.uid.system. The record also cites a third-party technical advisory from Kryptowire and lists the affected CPE as adups:adups_fota. The CVE was published on 2017-01-13 and later modified on 2026-05-13; no KEV entry was supplied.
Official resources
-
CVE-2016-10136 CVE record
CVE.org
-
CVE-2016-10136 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Technical Description, Third Party Advisory
-
Source reference
[email protected] - Press/Media Coverage
Published by the CVE record on 2017-01-13T09:59:00.217Z; modified on 2026-05-13T00:24:29.033Z. No Known Exploited Vulnerabilities flag was supplied.