Skip to main content

Identifying Real Device Clouds and Rooted Android Apps

· 4 min read
Joe Rutkowski
Joe Rutkowski
Lead Developer

Real device clouds are networks of physical or emulated mobile devices often managed to run automated scripts. These can be used for various purposes: legitimate testing or research, stress testing apps, or even malicious activities. At OverpoweredJS, we’ve been focused on detecting and analyzing these real device clouds, with a special emphasis on uncovering suspicious or malicious behavior. In this post, we’ll highlight how we use the x-requested-with header and other signals to detect rooted and jailbroken devices, and how fraudsters leverage these compromised devices to carry out their exploits.

Why Identifying Real Device Clouds Matters

Real device clouds can serve many legitimate functions, such as QA testing across numerous devices at scale. However, not all use cases are benign. Some malicious operators utilize these device clusters to:

  • Automate large-scale attacks: Launching massive crawls or DDoS-like attacks.
  • Scrape data: Systematically accessing or copying information from web services.
  • Spoof user actions: Faking sign-ups, gaming referral programs, and bulk-checking account credentials.
  • Commit ad fraud: Inflating clicks or impressions on ads without genuine user engagement.

When these activities occur at scale, they can compromise network performance, siphon resources, and skew statistics for legitimate users.

How the x-requested-with Header Helps

In Android environments, a key signal we often inspect is the x-requested-with header, which typically contains the application’s package name. Here’s an anonymized snippet:

"headers": {
  "x-requested-with": "[REDACTED]",
  "user-agent": "[REDACTED]",
  "origin": "[REDACTED]",
  "referer": "[REDACTED]",
  "content-type": "application/json",
  ...
}

The specific app identifier—especially if it references superuser privileges—often indicates the device may be rooted. When we see traffic from these suspicious IDs, it raises a red flag.

Why Rooted Devices Are Suspicious

Rooted or jailbroken devices remove system-level restrictions, allowing modifications that can enable:

  • Unauthorized data access: Reading or writing system files.
  • Automated, background scripting: Enabling large-scale tasks that run undetected.
  • Spoofing device signals: Manipulating identifiers such as IMEI, MAC address, or geolocation.

A cluster of rooted devices, managed in a centralized way, typically points to a real device cloud that could be used in ways that deviate from standard user behavior. When combined with scripts or specialized apps, these devices can rapidly emulate large volumes of traffic.

Malicious Use Cases

  1. Credential Stuffing: Using real device clouds to brute force accounts.
  2. Spam or Fake Engagement: Generating artificial likes, follows, or comments on social platforms.
  3. Data Harvesting: Pulling information en masse from websites and APIs.
  4. Security Testing: Legitimate businesses may use real device clouds to test app resilience.

By detecting the presence of suspicious WebView sessions and known malicious app IDs, OverpoweredJS helps organizations separate legitimate usage from fraudulent or malicious activity.

Conclusion

While the x-requested-with header has been a reliable indicator of rooted or jailbroken apps, many bad actors have started removing or spoofing this header entirely. Others have turned to different approaches—like Electron apps—to evade detection. Despite these tactics, OverpoweredJS remains at the forefront of detecting real device clouds and malicious activity.

OverpoweredJS constantly evolves our detection strategy. We correlate a broad range of signals to identify large-scale patterns that indicate automated device usage, and we’re always refining our capabilities.

Our suite of technologies goes beyond simple header checks, incorporating sophisticated browser fingerprinting, behavioral analysis, and device-level intelligence. Whether attackers exploit rooted devices, WebViews, or more advanced frameworks, we constantly innovate to stay one step ahead. By distinguishing real user interactions from automated clusters, we protect network performance, data integrity, and overall platform security.

Ready to experience OverpoweredJS for yourself? Start protecting your platform against malicious behavior and keep your ecosystem safe. Learn more.