The Arsink RAT exploits legitimate Google cloud services to steal SMS messages, contacts, call logs, and audio while giving operators complete remote control of compromised devices.
The Arsink RAT (Remote Access Trojan) campaign represents one of the most extensive mobile surveillance operations discovered in recent months. According to research from mobile security firm Zimperium, it exploits legitimate Google cloud infrastructure to evade detection while harvesting sensitive user data.
In Asia, Indonesia bore the brunt of the campaign with approximately 7,000 infected devices, followed by India and Pakistan with around 2,500 devices each, and Bangladesh with 1,600 compromised phones. The malware also showed significant presence in Middle Eastern nations, including Egypt with 13,000 infections, and Iraq and Yemen with 3,000 devices affected, each.
The campaign follows a troubling pattern of Android RAT operations exploiting cloud infrastructure. For instance, we previously reported on the RadzaRat Android trojan that similarly abused legitimate services and achieved zero detection across 66 security vendors.
Zimperium researchers identified 1,216 distinct malicious APK variants, and said the campaign leveraged 317 unique Firebase Realtime Database endpoints for command-and-control activities.
The malware spreads through social engineering tactics on platforms including Telegram, Discord, and MediaFire, impersonating over 50 popular brands such as Google, YouTube, WhatsApp, Instagram, Facebook, and TikTok. It tricked users into downloading what appeared to be premium or modified versions of legitimate applications.
Comprehensive surveillance capabilities
Once installed, Arsink harvests an extensive range of data, including SMS messages, call logs, contacts, device location, and Google account information. The malware can also activate the microphone for audio recording and upload photos and files from infected devices.
What makes this campaign particularly dangerous is its abuse of trusted Google services. Multiple variants use Google Apps Script to upload files to Google Drive, while others utilize Firebase Realtime Database combined with Firebase Storage for command-and-control communications. Some versions even employ Telegram bots for direct data exfiltration.
"Modern mobile malware no longer relies solely on dedicated servers or overt phishing sites," the Zimperium researchers noted. "It thrives within legitimate ecosystems, exploiting user trust in familiar brands and widely used cloud services."
The exploitation of Firebase has become increasingly common among Android malware operators. Back in 2022, our researchers analyzed over 33,000 Android apps and found more than 14,000 Firebase URLs hardcoded in apps, with 606 linking to open Firebase instances vulnerable to exploitation.
Remote control and long-term persistence
Beyond passive surveillance, operators behind Arsink can remotely control infected devices, including initiating phone calls, toggling the flashlight, displaying operator messages, deleting files, and even wiping external storage entirely.
The malware maintains persistence by hiding its launcher icon and running as a foreground service with a persistent notification that prevents termination. This allows continuous operation even when users attempt to close background processes.
Zimperium worked with Google to disrupt the campaign's infrastructure, resulting in the takedown of multiple Firebase endpoints and malicious Google Apps Script instances. Google has confirmed that known Arsink variants do not exist on the official Play Store, and that Google Play Protect can detect and block the malware, even when infected apps come from sources outside of the Play Store.
The campaign spans 143 countries, which highlights its opportunistic nature rather than a targeted regional focus. Alarmingly, the security researchers warn that the rapid variant development and shifting infrastructure suggest the operation will continue to evolve despite their disruption efforts.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked