Arsink is a cloud-native Android Remote Access Trojan (RAT) that aggressively harvests private data and gives remote operators intrusive control over infected devices. We observed multiple variants that use Google Apps Script to upload larger files and media to Google Drive, or Firebase Realtime Database + Firebase Storage & Telegram for C2 and exfiltration.
The operation's significant scale is evidenced by the 1,216 distinct APK hashes identified across the observation period (Figure 1). Notably, 774 of these samples incorporate Google Apps Script or "macro" upload mechanisms, pointing to the extensive use of Google services for media and file exfiltration. The operation leverages 317 distinct Firebase Realtime Database endpoints as C2/data sinks, and our infrastructure enumeration extracted 45,000 unique victim IPs, demonstrating both scale and breadth of exposure.
Figure 1. Showing samples found over the period of time
Distribution is broad and social-engineered. The malware is pushed via Telegram, Discord, and MediaFire links, as well as similar channels, while impersonating dozens of popular brands: Figure 2 shows some of the brands that were impersonated in this campaign.
Figure 2. Brands that were impersonated in this campaign
The zLabs team has been tracking this campaign over the past few months, observing a consistent increase in sample distribution and C2 infrastructure reuse across multiple clusters.
Arsink samples are distributed through a wide range of social-engineered channels rather than a single vector. In our collection, we consistently observed malicious APKs delivered via Telegram channels, Discord posts and direct MediaFire-hosted APK links.
Key traits of the campaign are:
To better reflect the diversity in the wild, we identified four operational variants that were found in this campaign:
In most cases, the apps don’t deliver real features, they display a minimal UI, immediately request sensitive permissions, and then operate silently.
In parallel with tracking and detection, zLabs worked directly with Google to report and disrupt Arsink’s abuse of legitimate cloud services. As part of this coordinated effort, multiple malicious Firebase Realtime Database endpoints and attacker-controlled Google Apps Script instances used for command-and-control and data exfiltration were identified and dismantled. On top of this, Google disabled malicious Apps Scripts accounts and confirmed that known versions of Arsink Rat malware do not exist on Google Play and that Android users are automatically protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play. These actions significantly degraded the campaign’s operational capacity and forced threat actors to retool their infrastructure.
While takedowns help reduce active abuse, Arsink’s rapid variant churn and shifting exfiltration paths underscore why detection and prevention at the device level remain critical — attackers can reconstitute infrastructure faster than centralized blocklists or takedown processes can fully contain.
Arsink is a sophisticated malware that actively exfiltrates information, transmitting it directly to its operators while affording them complete remote control. The analysis of the samples revealed this stealthy tool is highly versatile, possessing multiple methods to exfiltrate compromised data:
The Arsink operation has a truly global footprint, as it is not confined to any specific geographic area. From the analysis of victim telemetry and publicly accessible C2 dumps, we identified ≈45,000 unique infected IP addresses spanning some 143 countries across the Middle East, Asia, Africa, Europe, and the Americas.
The largest concentrations were observed in Egypt (≈13,000 devices), Indonesia (≈7,000), Iraq (≈3,000), Yemen (≈3,000) and Türkiye (≈2,000). Notable clusters also appear in Pakistan (≈2,500), India (≈2,500), Bangladesh (≈1,600), and North African countries such as Algeria and Morocco (each ≈1,000), regions where third-party APK distribution and Telegram sharing are common. Figure 3 shows a world map visualising infection density by country and highlights the campaign’s multi-regional scale.
Figure 3. Geographic distribution of victim IPs extracted from misconfigured C2 databases.
This geographic diversity reinforces that Arsink is an opportunistic, mass-distribution threat rather than a regionally targeted campaign, leveraging brand impersonation and social platforms to achieve worldwide penetration.
The Arsink campaign represents one of the most persistent and evolving Android surveillance operations observed in recent months. What began as a single-family threat abusing Firebase as a command-and-control channel has expanded into a large, modular ecosystem of variants, each using different exfiltration paths such as Firebase Storage, Google Apps Script and Drive, Telegram bots, and embedded payload droppers.
From a user’s perspective, these apps appear harmless, most offer no real functionality beyond intrusive permission prompts, yet behind the scenes, they perform continuous exfiltration of messages, contacts, call logs, location data, and media content, while allowing operators to issue remote commands and even wipe files.
As the zLabs team continues to track this operation, we expect further retooling and diversification of its infrastructure. The ongoing campaign serves as a reminder that modern mobile malware no longer relies solely on dedicated servers or overt phishing sites, it thrives within legitimate ecosystems, exploiting user trust in familiar brands and widely used cloud services.
Despite Arsink’s heavy reliance on legitimate cloud platforms and its rapid variant churn, Zimperium’ Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) provide effective protection against this threat through on-device, behavior-based detection. Across the Arsink RAT variants analyzed, Zimperium detects malicious activity in a zero-day fashion, without relying on static signatures or pre-existing indicators of compromise.
For enterprises, Arsink represents more than a consumer spyware threat—it is a direct risk to corporate data, operations, and brand trust. Devices compromised by Arsink can silently exfiltrate SMS messages (including OTPs), contacts, call logs, audio, and files, enabling account takeover, fraud, and lateral abuse of enterprise services. The malware’s use of trusted cloud platforms further complicates traditional network-based defenses, allowing it to blend into normal traffic. In organizations where mobile devices access corporate email, authentication flows, messaging platforms, or customer data, an infection like Arsink can quickly escalate into credential theft, unauthorized access, regulatory exposure, and reputational damage—making on-device, behavior-based protection a critical control for modern enterprises.
|
Tactic |
ID |
Name |
Description |
|
Initial Access |
Deliver Malicious App via Other Means |
Distribution of malicious APKs outside official stores (direct links, DMs, file hosts, sideloading). |
|
|
|
Phishing |
Use of messages/links on Telegram/WhatsApp/Discord/MediaFire to lure users into installing or sideloading APKs. |
|
|
Discovery |
System Information Discovery |
Collect OS/build/model/version/serial and other device identifiers used to profile victims |
|
|
|
System Network Configuration Discovery |
Gathers network-related info (interfaces IMSI/IMEI, public IP lookup) |
|
| Collection | T1533 | Data from Local System | Enumerates files/media on external storage and local data stores for exfiltration. |
| T1636.004 | Protected User Data: SMS Messages | Reads and continuously exfiltrates SMS messages (including OTPs). | |
| T1636.002 | Protected User Data: Call Log | Harvests call history (numbers, types, timestamps, durations). | |
| T1636.003 | Protected User Data: Contact List | Read the contacts/Address book for bulk exfiltration. | |
|
|
T1429 | Audio Capture | Records microphone audio and stages/uploads recordings to cloud storage. |
|
Execution/ Persistence |
Foreground Persistence |
Starts a foreground service/sticky notification to keep running and retain sensor access. |
|
| Defense Evasion | T1628.001 | Hides Artifacts, Suppress Application Icon | Hides the launcher icon to avoid casual detection/uninstallation. |
| Command and Control | T1437 | Application Layer Protocol (Web/HTTPS) | Uses web API/cloud services (Firebase RTDB/Storage, Apps Script/Drive, Telegram Bot API) for C2 and control. |
| Exfiltration | T1646 | Exfiltration over C2 Channel | Sends stolen data over the same channels used for C2 (Firebase endpoints, Telegram bot API, Apps Script). |
| Impact | T1630.002 | Delete Device Data/Data Destruction | Provides an operator-triggered destructive wipe of external storage root. (mapped device wipe/file deletion behaviors). |
The IOCs for this campaign can be found in this repository.