CVE-2016-10138 Adups CVE debrief

Who should care

Android device owners and fleet administrators using affected BLU devices with Adups software, mobile security teams, and any organization managing third-party or preinstalled Android system apps should pay attention. The risk matters most where untrusted apps may be installed or where the device can reach the vulnerable HTTP command endpoint.

Technical summary

According to the NVD description, com.adups.fota.sysoper is a system app configured with android.uid.system, so its code executes with elevated system privileges. It contains an exported broadcast receiver named com.adups.fota.sysoper.WriteCommandReceiver, which means other apps on the device can send it intents. Because the receiver processes embedded commands while running as the system user, a low-privileged app can trigger privileged actions such as calling numbers, factory reset, screen capture/recording, app installation, event injection, and log access. The same component family also includes TaskService, which requests commands from an HTTP URL; the returned JSON array entries under the sf key are executed as system, and the plain HTTP transport makes the command channel vulnerable to interception or modification.

Defensive priority

High. This is a system-privileged command execution flaw with both local app-to-system abuse and network-manipulation exposure. Even though the CVSS vector uses local attack conditions, the reachable impact spans confidentiality, integrity, and availability at the device level.

Recommended defensive actions

• Identify whether affected BLU Advance 5.0 or BLU R1 HD devices include Adups FOTA software, especially com.adups.fota.sysoper.
• Treat any preinstalled system app with exported components as part of the trusted computing base and review its permissions and intent exposure.
• Block or restrict installation of untrusted apps on impacted devices, since any on-device app can interact with the exported receiver.
• Inspect device management and mobile application control policies for the presence of Adups-related packages and note whether removal or disabling is possible in your environment.
• Monitor for unexpected device behaviors consistent with privileged actions described in the advisory, such as unsolicited resets, app installs, or log access.
• Prefer devices and firmware that no longer rely on the vulnerable Adups component, and validate vendor remediation before continued use.
• Where enterprise controls exist, segment or retire exposed devices that cannot be patched or otherwise remediated.
• Use network controls and inspection where feasible to reduce exposure to plaintext HTTP command retrieval and possible MITM manipulation.

Evidence notes

The core facts come from the supplied NVD record and CVE description: com.adups.fota.sysoper runs as android.uid.system, exposes WriteCommandReceiver, and fetches commands over HTTP from rebootv5.adsunflower.com. The NVD metadata also cites a technical advisory from Kryptowire and media coverage; the official NVD and CVE record links are included below. The CVE publication date is 2017-01-13T09:59:00.263Z; the 2026-05-13 modified timestamp reflects record maintenance, not the issue date.

Official resources