Arsink: Android Malware Exploits Cloud Tools for Large-Scale Data Theft
A sophisticated Android remote access trojan (RAT) dubbed Arsink has been uncovered, leveraging free cloud services to steal sensitive data and remotely control infected devices. Security firm Zimperium tracked the malware over several months, identifying 1,216 unique APK files, 317 Firebase command-and-control (C2) servers, and 45,000 victim IP addresses across 143 countries.
Distribution & Deception
Hackers distributed Arsink through Telegram channels, Discord posts, and MediaFire links, disguising it as modified or "pro" versions of popular apps from over 50 brands, including Google, YouTube, WhatsApp, Instagram, TikTok, and Facebook. Once installed, the malware requests excessive permissions, hides its icon, and operates covertly offering no legitimate functionality while harvesting data.
Four Attack Variants
Zimperium identified four primary Arsink variants, each using different cloud-based exfiltration methods:
- Firebase + Google Apps Script – Small data (e.g., device info) is sent to Firebase Realtime Database, while larger files (photos, audio) are uploaded via Google Apps Script to Google Drive.
- Telegram Exfiltration – SMS messages, call logs, and device details are transmitted directly to a hacker-controlled Telegram bot.
- Embedded Dropper – A secondary payload is hidden within the app, extracted and renamed (e.g., Ai_App.zip to App.apk) without requiring internet downloads, evading detection.
- Hybrid Cloud Abuse – Combines Firebase, Google Drive, and Telegram for data theft and command execution.
Data Theft & Remote Control
Arsink captures a full device snapshot, including:
- Device details (model, battery, location, Google account emails)
- SMS messages (including one-time passcodes)
- Call logs & contacts
- Microphone recordings (stored in cloud storage)
- Photos & files (listed for potential upload)
Attackers can remotely:
- Toggle the flashlight, vibrate the phone, or play sounds
- Change wallpaper, display messages, or speak text via text-to-speech
- Initiate calls, manage files (upload, delete, wipe external storage)
- Hide the app icon and maintain persistence via fake foreground notifications
Global Impact & Victim Distribution
The malware has infected users across the Middle East, Asia, Africa, Europe, and the Americas, with the highest concentrations in:
- Egypt (13,000 infections)
- Indonesia (7,000)
- Iraq & Yemen (3,000 each)
- Türkiye (2,000)
- Pakistan & India (2,500 each)
- Bangladesh (1,600)
- Algeria & Morocco (1,000 each)
India’s high infection rate correlates with frequent Telegram-based APK distribution.
Mitigation & Response
Zimperium collaborated with Google to dismantle malicious Firebase endpoints, Apps Scripts, and accounts. Google Play Protect now blocks known Arsink samples outside the Play Store. However, attackers rapidly adapt, making behavior-based detection critical for enterprises, particularly as the malware targets work-related credentials via SMS interception.
Arsink’s use of legitimate cloud services for C2 operations highlights the growing challenge of detecting malware that blends into normal traffic.
Source: https://cyberpress.org/arsink-rat-targets-android/
MediaFire cybersecurity rating report: https://www.rankiteo.com/company/mediafire
Zyper (Acquired by Discord) cybersecurity rating report: https://www.rankiteo.com/company/zyper.
Telegram Messenger cybersecurity rating report: https://www.rankiteo.com/company/telegram-messenger
Meta cybersecurity rating report: https://www.rankiteo.com/company/meta
TikTok cybersecurity rating report: https://www.rankiteo.com/company/tiktok
Google cybersecurity rating report: https://www.rankiteo.com/company/google
YouTube cybersecurity rating report: https://www.rankiteo.com/company/youtube
"id": "MEDZYPTELMETTIKGOOYOU1770029110",
"linkid": "mediafire, zyper., telegram-messenger, meta, tiktok, google, youtube",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '45,000+ victim IP addresses',
'location': ['Middle East',
'Asia',
'Africa',
'Europe',
'Americas'],
'name': 'General Android users',
'type': 'Individuals'},
{'industry': ['Technology', 'Social Media', 'Messaging'],
'location': 'Global',
'name': 'Brands spoofed (e.g., Google, WhatsApp, '
'Instagram, TikTok, Facebook)',
'type': 'Corporations'}],
'attack_vector': ['Telegram channels',
'Discord posts',
'MediaFire links',
'Fake/modified APKs'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['APKs',
'Photos',
'Audio recordings',
'Text files'],
'number_of_records_exposed': '45,000+ victim IP addresses '
'(exact records unclear)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, OTPs, audio recordings, '
'photos)',
'type_of_data_compromised': ['Device details',
'SMS messages',
'Call logs',
'Contacts',
'Microphone recordings',
'Photos',
'Files',
'Google account emails']},
'description': 'A sophisticated Android remote access trojan (RAT) dubbed '
'Arsink has been uncovered, leveraging free cloud services to '
'steal sensitive data and remotely control infected devices. '
'The malware was distributed through Telegram channels, '
'Discord posts, and MediaFire links, disguising itself as '
"modified or 'pro' versions of popular apps. It captures "
'device details, SMS messages, call logs, contacts, microphone '
'recordings, photos, and files, while allowing remote control '
'of infected devices.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'brands whose apps were spoofed (e.g., '
'Google, WhatsApp, Instagram)',
'data_compromised': ['Device details',
'SMS messages (including OTPs)',
'Call logs',
'Contacts',
'Microphone recordings',
'Photos',
'Files',
'Google account emails'],
'identity_theft_risk': 'High (PII and OTP interception)',
'operational_impact': 'Remote control of infected devices, '
'potential credential theft, data '
'exfiltration',
'payment_information_risk': 'High (SMS-based OTP theft)',
'systems_affected': 'Android devices'},
'initial_access_broker': {'backdoors_established': 'Hidden app functionality, '
'fake foreground '
'notifications',
'entry_point': ['Telegram channels',
'Discord posts',
'MediaFire links']},
'investigation_status': 'Ongoing (malware variants rapidly evolving)',
'lessons_learned': 'Malware increasingly abuses legitimate cloud services for '
'C2 operations, making detection harder. Behavior-based '
'detection is critical for enterprises, especially for '
'work-related credential theft via SMS interception.',
'motivation': ['Data theft',
'Remote device control',
'Potential financial gain (e.g., SMS interception for OTPs)'],
'post_incident_analysis': {'corrective_actions': ['Takedown of malicious '
'cloud endpoints',
'Behavior-based detection '
'implementation',
'User education on app '
'installation risks'],
'root_causes': ['Abuse of legitimate cloud '
'services (Firebase, Google Apps '
'Script, Telegram, Google Drive)',
'Excessive permissions granted to '
'malicious apps',
'Lack of user awareness about '
'sideloading risks']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Avoid sideloading APKs from untrusted sources',
'Use Google Play Protect to block malicious apps',
'Monitor for unusual cloud service traffic',
'Implement behavior-based detection for enterprises',
'Educate users on risks of fake/modified apps'],
'references': [{'source': 'Zimperium'}],
'response': {'containment_measures': 'Google dismantled malicious Firebase '
'endpoints, Apps Scripts, and accounts; '
'Google Play Protect blocks known Arsink '
'samples',
'enhanced_monitoring': 'Behavior-based detection for enterprises',
'remediation_measures': 'Behavior-based detection, blocking '
'malicious APKs, cloud service takedowns',
'third_party_assistance': 'Zimperium (security firm)'},
'title': 'Arsink: Android Malware Exploits Cloud Tools for Large-Scale Data '
'Theft',
'type': 'Malware (Remote Access Trojan - RAT)',
'vulnerability_exploited': 'Excessive permissions, hidden app functionality, '
'cloud service abuse (Firebase, Google Apps '
'Script, Telegram, Google Drive)'}