I'm a CISSP certified contract IS auditor. Security pays my mortgage. So yes, I do know quite a bit about this. No, ES does not have complete access to the device, even with root (the way it invokes root is even piss poor). Malware for Android is delivered as an APK. Raw CVEs aren't, but these are coupled with something like Dendroid APKs or other malware for privilege escalation purposes. They leverage something like stagefright and install a malicious APK silently. This is why I asked for a sample of a malicious APK that was delivered through one of these advertisements.