Arsink

Arsink is an Android remote access trojan (RAT) identified by Zimperium zLabs. It is distributed outside Google Play and impersonates more than 50 popular brands, including WhatsApp and TikTok, typically masquerading as “Pro” or “Mod” versions of legitimate apps. Delivery has been observed via links shared on Telegram and Discord and through MediaFire. Researchers reported 1,216 unique Arsink variants.

The malware requests extensive permissions and often acts as an empty-shell dropper. Some samples hide their app icon after installation, and some include a hidden secondary payload that can enable infection even when the device is offline. After installation, Arsink runs persistent background services and gives operators broad remote-control and surveillance capabilities. Reported functionality includes audio recording, reading SMS messages, stealing photos, accessing contacts and call history, obtaining the victim’s Google account email address, tracking location, forcing phone calls, and wiping device storage. Arsink has also been reported to use Google Apps Script infrastructure for media and file exfiltration.

Exfiltrated data has been sent through a large and resilient backend using 317 different database points, including Firebase, Telegram bots, and hidden folders on Google Drive. Separate reporting also states Arsink uses Firebase and Telegram for command-and-control. Zimperium reported the campaign affected about 45,000 devices across 143 countries, with major victim concentrations in Egypt (~13,000), Indonesia (~7,000), and Iraq (~3,000); other reporting also mentions Yemen and Türkiye among infection concentrations. Arsink is associated in reporting with an improved variant named SURXRAT, which researchers assessed to be an improved version or successor of Arsink.