The Rise of Arsink Rat

Arsink is a cloud-native Android RAT campaign that aggressively harvests sensitive data (SMS including OTPs, call logs, contacts, microphone recordings, photos, and device identifiers) and offers remote control and destructive actions. Operators distribute deceptive APKs via social-engineered channels (Telegram, Discord, MediaFire) while abusing legitimate cloud services (Firebase RTDB/Storage, Google Apps Script/Drive, Telegram Bot API) for C2 and exfiltration; analysis documents large scale (≈1,216 unique APKs, 317 Firebase endpoints, ≈45,000 infected IPs across 143 countries) and coordinated takedown efforts with Google, while warning that rapid variant churn and cloud-abuse maintain continued risk.