Android Adware Root Exploit Gets Uncovered by FireEye

Android Malware connects to; gets uncovered by FireEye reasearchers.

Android Adware in root exploits Reports have emerged for yet another Android based exploit. And to no real surprise it is an Adware targeting campaign. Affected is anybody who downloaded an app or anything really from what they believed to be secure sources.

The trick being these apps are in fact using repackaged icons so that they appear to be popular apps which are offered via pop-up advertisements and in-app purchases.

This exploit has been uncovered by security firm FireEye. Once installed the fake apps target to exploit no less than 8 different Android vulnerabilities that would allow access to deep root privileges. Once there the apps would launch code libraries that resemble legitimate Android services like com.facebook.qdservice.rp.provider and The purpose being permanent present on the affected devices.

android adware root exploit

The researchers from FireEye explained in a lengthy blog post that this malware contacts for commands. In order to avoid detection as long as possible the system service does not constantly contact the server. Instead it just asks for commands on the very first launch or after 24 hours have passed since issuing its last command. What is typical for every communication is that the malware first posts IMEI, then IMSI, storage info and the installed app info to the server.

That is evident when a simple test involving intercepting the network traffic on a Nexus 7 with Android 4.3 was performed by the lads over in FireEye. The results can be witnessed in the text below:

HTTP/1.1 200 OK

Server: nginx/1.6.1

Date: Mon, 28 Sep 2015 22:52:23 GMT

Content-Length: 3224

Connection: keep-alive



[Uninstall] keep [-]k eep [-] com.lookout

[Uninstall] keep [-] keep [-] com.hola.launcher


What is remarkable here is that it shows the code using its root access to uninstall the legitimate antivirus application called Lookout. One of the samples even contained the same developer certificate as an app that until recently could be food at the official Google Play store. It has since been pulled.

Here you can see that after uploading the device info the malicious process asks for commands from the server:


/vl.jsp?e = <anonymized>&s <anonymized>&g=6012&C=6283&tid=0 & versionCode 19&platf orm ar.droidspt Nexus•7sosVersion 4.SscountryCode us & lang en.&m Spid <ar.or.y:nized >srt truest wifiso saa HTTP/1.1

User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.3; Nexus 7 Build/JLS36C)


Connection: Keep-Alive

Accept-Encoding: gzip


All this is another red flag and reminder that apps downloaded from 3-rd party stores may contain numerous hidden dangers. While Google’s official store is by no means perfect in regards to security it still offers the most secure place to browse for Android apps. Refrain from downloading form unsecure locations or at least keep an eye out for suspicious behavior.