PatchSiren cyber security CVE debrief
CVE-2016-10137 Adups CVE debrief
CVE-2016-10137 describes a local Android security issue in Adups FOTA software used on BLU R1 HD devices. The affected package, com.adups.fota.sysoper, includes a content provider named com.adups.fota.sysoper.provider.InfoProvider and is configured to run as the Android system user. According to the CVE record and NVD summary, this can allow another app already on the device to read, write, and delete files with system-level privileges, including sensitive user data such as sent and received text messages and call logs. Because the issue can expose personal information without the user granting permission, it should be treated as a high-priority remediation item for affected devices.
- Vendor
- Adups
- Product
- CVE-2016-10137
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-13
- Advisory updated
- 2026-05-13
Who should care
Mobile OEMs and firmware maintainers using Adups components, Android device administrators, MDM/EMM teams, support organizations managing BLU R1 HD or similar affected devices, and security teams responsible for mobile PII exposure risk.
Technical summary
The vulnerability centers on com.adups.fota.sysoper.provider.InfoProvider in the com.adups.fota.sysoper app. The AndroidManifest.xml sets android:sharedUserId to android.uid.system, causing the app to execute as the system user. NVD characterizes the issue as local, low-complexity, low-privilege, and no-user-interaction, with high impacts to confidentiality, integrity, and availability (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The supplied description says any app on the device may then read, write, and delete files as the system user, including SMS and call log data.
Defensive priority
High. The attack path is local and requires a malicious app on the device, but the privilege boundary crossed is severe because the affected component runs as the system user and can expose sensitive PII.
Recommended defensive actions
- Identify devices and firmware builds that include Adups FOTA components, especially com.adups.fota.sysoper.
- Apply OEM or vendor firmware updates that remove or constrain the vulnerable component if a fix is available.
- If remediation is not available, plan accelerated replacement or retirement of affected devices, particularly where they store sensitive user data.
- Use mobile application allowlisting and enterprise app control to reduce the chance that untrusted apps can be installed on impacted devices.
- Review mobile device management policies to limit third-party app installation on devices that may contain the affected package.
- Assess whether SMS, call log, or other sensitive data could have been exposed on impacted devices and take appropriate incident-response steps.
- Track the official CVE/NVD record for any vendor notes or updated remediation guidance.
Evidence notes
The CVE record states that com.adups.fota.sysoper.provider.InfoProvider allows any app on the device to read, write, and delete files as the system user, and that android:sharedUserId is set to android.uid.system in the app manifest. NVD lists the vulnerable CPE as adups:adups_fota and assigns CVSS 3.0 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, supporting a severe local-impact assessment. The CVE was published on 2017-01-13; the NVD record was modified on 2026-05-13.
Official resources
-
CVE-2016-10137 CVE record
CVE.org
-
CVE-2016-10137 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Technical Description, Third Party Advisory
-
Source reference
[email protected] - Press/Media Coverage
Publicly disclosed in the CVE record on 2017-01-13. The supplied NVD record was later modified on 2026-05-13.