Arsink RAT
Arsink RAT is an Android remote access trojan (RAT) described as cloud-native and capable of giving attackers complete control over infected devices. It is distributed primarily through social engineering rather than exploits, masquerading as fake or modified versions of popular apps associated with Google, YouTube, WhatsApp, Instagram, Facebook, and TikTok. Reported distribution channels include social media platforms such as Telegram and Discord, as well as file-sharing sites including MediaFire. The malware requests excessive permissions, provides little or no legitimate functionality, and then conducts covert surveillance and data theft.
Reported capabilities include exfiltration of SMS messages, including one-time passwords, call logs, contacts, device location, and microphone audio. Operators can also trigger actions such as toggling the flashlight, making phone calls, uploading files, and wiping data from external storage. Persistence mechanisms mentioned in the content include hiding the app icon and running a foreground service to resist termination. Some variants reportedly upload stolen data to Google Drive via Google Apps Script, while others exfiltrate data through attacker-controlled Telegram bots. One described variant can extract and install a secondary malicious payload without internet connectivity.
According to the provided reporting, the campaign affected approximately 45,000 devices across 143 countries. Zimperium is cited as identifying 1,216 malicious APKs and 317 Firebase Realtime Database endpoints used for command and control. Infection concentrations were reported highest in Egypt, followed by Indonesia, with additional notable victim counts in Iraq, Yemen, Pakistan, India, and Bangladesh. No specific threat actor attribution is provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android remote access trojan distributed via trojanized apps; focuses on broad device surveillance and data theft (SMS, call logs, contacts, location, audio).
Android cloud-native remote access trojan that spreads via social engineering (fake/modded popular apps shared on Telegram/Discord/MediaFire), requests excessive permissions, hides its icon for persistence, and enables extensive surveillance and data theft (SMS/OTPs, call logs, contacts, location, microphone audio). It uses cloud-backed C2 infrastructure (e.g., Firebase Realtime Database endpoints) and can exfiltrate data via services like Google Drive (Apps Script) or Telegram bots; operators can also perform remote actions such as toggling flashlight, making calls, uploading files, and wiping external storage.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.