CVE-2016-10139 Adups CVE debrief

Who should care

Mobile device defenders, OEM and firmware maintainers, MDM teams, privacy/compliance staff, and users of affected BLU R1 HD devices or other products shipping Shanghai Adups software.

Technical summary

The supplied NVD description identifies two relevant packages, com.adups.fota and com.adups.fota.sysoper. The sysoper app’s AndroidManifest.xml sets android:sharedUserId to android.uid.system, which makes it execute with system privileges and inherit powerful permissions not explicitly declared in its manifest. Through com.adups.fota.sysoper.provider.InfoProvider, the companion app can access call logs, text messages, and device identifiers. The behavior described in the record uses timestamps to trigger periodic background exfiltration, typically after 72 hours and on charging or wireless-network transitions, with no user interaction. NVD classifies the issue with CVSS 3.0 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8 HIGH).

Defensive priority

High

Recommended defensive actions

• Inventory affected devices and confirm whether BLU R1 HD or other Adups-based firmware is still in use.
• Apply OEM/vendor firmware updates or replace unsupported devices where remediation is not available.
• Restrict sensitive use of affected devices until patching, replacement, or decommissioning is complete.
• Review mobile device management and app inventories for privileged preinstalled packages and unexpected data access paths.
• Audit Android firmware for sharedUserId/system-privilege patterns and internal providers that expose personal data.

Evidence notes

Primary evidence comes from the official NVD/CVE record and the linked Kryptowire technical advisory. The NVD entry provides the vulnerability description, the CVSS 3.0 vector and score, the affected CPE criteria, and the record’s published/modified timestamps. The CVE record and NVD detail should be treated as the canonical references for this debrief; the press link is included only for broader context.

Official resources