What's this file libAppDataSearchExt_armeabi_v7a.v7.so downloaded from *.gvt1.com on my device?

by Abdelhafid Madoui   Last Updated May 20, 2018 07:11 AM

I was checking the traffic of my Android 7.0 tablet, and I've found that some files are downloaded discretely like this one:

GET /edgedl/android/appdatasearch/libAppDataSearchExt_armeabi_v7a.v7.so 
HTTP/1.1
User-Agent: AndroidDownloadManager/5.1 (Linux; U; Android 5.1; (PRODUCT_ID) 
Build/LMY47I)
Accept-Encoding: identity
Connection: close
If-Match: "4cbde"
Range: bytes=3260400-
Host: redirector.gvt1.com


HTTP/1.1 302 Found
Date: Thu, 17 May 2018 11:16:44 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: https://r2---sn-5abxgpxuxaxjvh-5abk.gvt1.com/edgedl/android/appdatasearch/libAppDataSearchExt_armeabi_v7a.v7.so?cms_redirect=yes&ip=(MY_IP_ADDRESS)&ipbits=0&mm=28&mn=sn-5abxgpxuxaxjvh-5abk&ms=nvh&mt=1526555073&mv=u&pl=23&shardbypass=yes
Content-Type: text/html; charset=UTF-8
Server: ClientMapServer
Content-Length: 466
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alt-Svc: hq=":443"; ma=2592000; quic=51303433; quic=51303432; quic=51303431; quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="43,42,41,39,35"
Connection: close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://r2---sn-5abxgpxuxaxjvh-5abk.gvt1.com/edgedl/android/appdatasearch/libAppDataSearchExt_armeabi_v7a.v7.so?cms_redirect=yes&amp;ip=(MY_IP_ADDRESS)&amp;ipbits=0&amp;mm=28&amp;mn=sn-5abxgpxuxaxjvh-5abk&amp;ms=nvh&amp;mt=1526555073&amp;mv=u&amp;pl=23&amp;shardbypass=yes">here</A>.
</BODY></HTML>

I've found that this domain is owned by Google here and it says that it's something related to Chrome updates, but this is not the case.

Also I've found here that this poor developer app was flagged as malicious because it's downloading the same file: libAppDataSearchExt_armeabi_v7a.v7.so

  1. What is this file?

  2. Why is it downloaded from a Google domain?

  3. Why it was flagged as malicious?

  4. How to check where the file is stored without being root?



Related Questions


What app needs iipsrv.fcgi?

Updated October 09, 2017 23:11 PM



Apps trying to install in background

Updated April 29, 2016 08:04 AM

TROJAN & MALWARE REMOVAL

Updated March 18, 2017 08:11 AM