Arsink¶
RAT/spyware distributed through social engineering on Telegram and Discord channels. Discovered by Zimperium in late 2025, Arsink impersonated 50+ popular brands (WhatsApp, YouTube, TikTok, Instagram, Facebook, Google) as "premium" or "mod" versions. Notable for using legitimate Google cloud infrastructure (Firebase RTDB, Storage, Apps Script, Drive) as C2 to evade network-level detection. 1,216 unique samples identified across 143 countries with ~45,000 victim IPs.
Overview¶
| Property | Value |
|---|---|
| First Seen | Late 2025 |
| Type | RAT / Surveillance spyware |
| Attribution | Unknown |
| Aliases | Trojan:AndroidOS/Arsink!rfn (Microsoft) |
Distribution¶
Social engineering via Telegram channels, Discord posts, and MediaFire-hosted APK links. Impersonated 50+ popular brands as "premium", "pro", or "mod" versions.
Capabilities¶
| Capability | Implementation |
|---|---|
| SMS interception | Including OTPs for account takeover |
| Call/contacts/location | Full device data harvesting |
| Microphone recording | Ambient audio capture |
| Photo/file exfiltration | Remote access to device storage |
| Remote commands | File operations, initiate calls, storage wipe |
| Stealth | Launcher icon hiding |
| Persistence | Foreground service |
| Modular C2 | Firebase RTDB, Google Drive, Google Apps Script, Telegram bots |
Scale¶
| Metric | Value |
|---|---|
| Unique APK samples | 1,216 |
| Firebase C2 endpoints | 317 |
| Victim IPs | ~45,000 |
| Countries affected | 143 |
| Top country | Egypt (~13,000 devices) |
| Second | Indonesia (~7,000) |
| Other major | Iraq, Yemen, Turkey, Pakistan, India |
Significance¶
Arsink's use of legitimate Google cloud infrastructure (Firebase, Drive, Apps Script) as C2 makes it difficult to block at the network level since these domains are used by millions of legitimate apps.