The Rise of Arsink Rat

Arsink is a cloud-native Android RAT that exfiltrates extensive personal data and grants remote operators intrusive control over infected devices while abusing legitimate cloud services for C2 and media/file exfiltration. The campaign deployed 1,216 distinct APKs across global social-engineered distribution channels and used 317 Firebase Realtime Database endpoints, Google Apps Script/Drive, and Telegram for C2 and exfiltration. #Arsink #Firebase

Keypoints

The campaign comprised 1,216 distinct APK hashes and leveraged 317 Firebase RTDB endpoints, with telemetry showing ≈45,000 unique victim IPs across ~143 countries, demonstrating large scale and global reach.
Arsink samples were distributed via social-engineered channels (Telegram, Discord, MediaFire links) and impersonated over 50 popular brands to trick users into sideloading malicious APKs.
Researchers identified four operational variants: Firebase + Apps Script/Drive pipeline, Telegram exfiltration via bot API, Firebase Storage for audio/media, and an embedded-payload dropper that installs a second-stage APK from assets.
The malware harvests device identifiers, Google account emails, SMS (including OTPs), call logs, contacts, microphone recordings, photos and arbitrary files, and uploads them to attacker-controlled cloud endpoints or Telegram.
Operators gain remote control capabilities (microphone, flashlight, vibration, play audio, set wallpaper, initiate calls, list/upload/delete files) and can issue destructive wipes of external storage.
Coordinated takedown efforts with Google removed many malicious Firebase endpoints and Apps Script instances, but rapid variant churn highlights the importance of on-device, behavior-based detection and prevention.

MITRE Techniques

[T1476 ] Deliver Malicious App via Other Means – Distributed malicious APKs outside official stores via direct links, DMs and file hosts (‘Distribution of malicious APKs outside official stores (direct links, DMs, file hosts, sideloading).’)
[T1660 ] Phishing – Lured users with messages and links on messaging platforms to install sideloaded APKs (‘Use of messages/links on Telegram/WhatsApp/Discord/MediaFire to lure users into installing or sideloading APKs.’)
[T1426 ] System Information Discovery – Collected device OS/model/build/version and other identifiers to profile victims (‘Collect OS/build/model/version/serial and other device identifiers used to profile victims’)
[T1422 ] System Network Configuration Discovery – Gathered network-related information including IMSI/IMEI and public IP lookups (‘Gathers network-related info (interfaces IMSI/IMEI, public IP lookup)’)
[T1533 ] Data from Local System – Enumerated files and media on external storage and local stores for exfiltration (‘Enumerates files/media on external storage and local data stores for exfiltration.’)
[T1636.004 ] Protected User Data: SMS Messages – Read and continuously exfiltrated SMS messages, including OTPs (‘Reads and continuously exfiltrates SMS messages (including OTPs).’)
[T1636.002 ] Protected User Data: Call Log – Harvested call history details such as numbers, timestamps and durations (‘Harvests call history (numbers, types, timestamps, durations).’)
[T1636.003 ] Protected User Data: Contact List – Read and exfiltrated the device contacts/address book for bulk exfiltration (‘Read the contacts/Address book for bulk exfiltration.’)
[T1429 ] Audio Capture – Recorded microphone audio and staged or uploaded recordings to cloud storage (‘Records microphone audio and stages/uploads recordings to cloud storage.’)
[T1541 ] Foreground Persistence – Started a foreground service with a persistent notification to maintain runtime and sensor access (‘Starts a foreground service/sticky notification to keep running and retain sensor access.’)
[T1628.001 ] Hides Artifacts, Suppress Application Icon – Hid the launcher icon to reduce casual detection and uninstallation (‘Hides the launcher icon to avoid casual detection/uninstallation.’)
[T1437 ] Application Layer Protocol (Web/HTTPS) – Used web APIs and cloud services (Firebase RTDB/Storage, Apps Script/Drive, Telegram Bot API) for C2 and control (‘Uses web API/cloud services (Firebase RTDB/Storage, Apps Script/Drive, Telegram Bot API) for C2 and control.’)
[T1646 ] Exfiltration over C2 Channel – Sent stolen data over the same channels used for C2 (Firebase endpoints, Telegram Bot API, Apps Script) (‘Sends stolen data over the same channels used for C2 (Firebase endpoints, Telegram bot API, Apps Script).’)
[T1630.002 ] Delete Device Data/Data Destruction – Provided an operator-triggered destructive wipe of external storage root (‘Provides an operator-triggered destructive wipe of external storage root. (mapped device wipe/file deletion behaviors).’)

Indicators of Compromise

[File hashes ] Observed malicious APK samples – 1,216 distinct APK hashes observed (representative hashes not listed in article, and many more samples).
[Firebase RTDB endpoints ] C2/data sinks used by operators – 317 distinct Firebase Realtime Database endpoints used for command-and-control and exfiltration (attacker-controlled RTDB endpoints, and 316 more).
[Victim IP addresses ] Infected device telemetry – ≈45,000 unique victim IPs extracted from misconfigured C2 databases (examples: Egypt ≈13,000, Indonesia ≈7,000, and many other country clusters).
[File names / embedded payloads ] Embedded dropper artifacts and staged filenames – examples include Ai_App.zip → Ai_App.apk → App.apk used to repackage and install secondary payloads.
[Distribution links / hosting platforms ] Delivery channels and malicious links – Telegram channels, Discord posts, and MediaFire-hosted APK links used to distribute malicious installers (examples: Telegram channel posts, MediaFire links).
[Google Apps Script instances ] Abuse of Google cloud scripts for large-file exfiltration – malicious Apps Script instances used to upload base64-encoded large files to Drive (multiple instances identified and disabled by Google).