ArsinkRAT

ArsinkRAT is an Android remote access trojan family. The provided content states that SURXRAT likely evolved from the ArsinkRAT family, based on code references and functional overlap, and that SURXRAT uses a Firebase Realtime Database reference labeled "arsinkRAT," reinforcing the linkage. Zimperium reportedly observed increased ArsinkRAT activity targeting Android devices in January 2026. Based on the linked lineage described in the content, ArsinkRAT is associated with Android device compromise, abuse of Accessibility Services for persistence and control, Firebase-backed command-and-control, extensive surveillance and data theft, and remote device manipulation. Reported capabilities in the linked descendant include exfiltration of contacts, SMS messages, call logs, device and network details, browser history, clipboard contents, notifications, Wi-Fi history, and cellular tower information; enumeration of installed apps and files; and remote actions such as audio recording, camera capture, SMS sending, phone calls, URL opening, wallpaper changes, flashlight and vibration control, file upload and deletion, device unlock/lock, storage wiping, and a ransomware-style screen locker with attacker-defined PIN and real-time reporting of incorrect unlock attempts. The Firebase C2 infrastructure referenced in the content is xrat-sisuriya-default-rtdb.firebaseio.com. The content does not provide standalone ArsinkRAT-specific infection vector details beyond its Android targeting and its relationship to SURXRAT.