Arsink is a cunning Android malware that allows hackers to take over phones remotely and steal personal information This article explores arsink apps. . This remote access trojan (RAT) transmits stolen data via free cloud services like Firebase, Telegram, and Google Drive.

Zimperium tracked 1,216 unique APK files over months, with 774 using Google Apps Script for big file uploads. They discovered 45,000 victim IP addresses from 143 countries and 317 Firebase control servers. Widespread Distribution Through Tricks Hackers spread Arsink via Telegram channels, Discord posts, and MediaFire links. They impersonate well-known apps from more than 50 companies, including Facebook, Google, YouTube, WhatsApp, Instagram, and TikTok.

To trick users into believing they receive free upgrades, files are labeled "mod" or "pro."

Applications immediately request extensive permissions before hiding and operating covertly. Just spying, no real features. displaying samples discovered over time (Source: Zimperium) Four Principal Variants In Use Zimperium spotted four types of Arsink: Apps Script + Firebase: Small data goes to Firebase Realtime Database.

Firebase Storage receives audio. Google Apps Script is used to send large files, such as photos, to Drive. Telegram exfil: Information sent directly to a hacker's Telegram bot for quick leaks, such as SMS and device details. Embedded dropper: Hides a second payload inside the app.

It avoids internet downloads by extracting and renaming it (for example, Ai_App.zip to App.apk). A complete device snapshot is captured by Arsink, including the public IP, model, battery, location, and Google emails.

It pulls SMS (even new ones with codes), call logs, and contacts. Audio is captured by microphones and stored in the cloud. It lists photos and files for upload.

Companies impersonated in this campaign (Source: Zimperium) Hackers can remotely change the flashlight, vibrate the phone, play music, alter the wallpaper, display messages, or read text. They manage files (list, create folders, upload, delete), initiate calls, and even remove all external storage. It runs a foreground service with a fictitious notification, conceals its icon, and frequently polls servers in order to be stealthy. Victims span the Middle East, Asia, Africa, Europe, and Americas.

Egypt has the highest number of infections (13,000), followed by Indonesia (7,000), Iraq and Yemen (3,000 each), Turkey (2,000), Pakistan and India (2,500 each), Bangladesh (1,600), Algeria, and Morocco (1,000 each).

Common Telegram APK shares are linked to India's share. Zimperium worked with Google to shut down bad Firebase endpoints, Apps Scripts, and accounts. Google Play Protect blocks known Arsink outside its store.

Still, hackers shift tools fast, so device-level defenses matter. Victim IPs' geographic distribution taken from incorrectly configured C2 databases (Source: Zimperium) Zimperium’s Mobile Threat Defense spots Arsink by behavior, not signatures vital for firms as it steals work logins via SMS codes.

MITRE ATT&CK Methods Tactic: Initial Access T1476: Deliver Malicious App via Other Means T1660: Phishing Discovery System Information Discovery (T1426) T1422: Discovery Collection for System Network Configuration T1533: Data from Local System T1636.004: Protected User Data: SMS Messages T1636.002: Call Log T1636.003: Contact List T1429: Execution and Persistence of Audio Capture T1541: Foreground Persistence Defense Evasion T1628.001: Hides Application Icon Command and Control T1437: Application Layer Protocol Exfiltration T1646: Exfiltration over C2 Channel Impact T1630.002: Delete Device Data Set Cyberpress as a Preferred Source in Google