Researchers at Zimperium zLabs have identified Arsink, a dangerous Android Trojan that impersonates 50+ popular brands, including WhatsApp and TikTok. With over 45,000 victims across 143 countries, this malware grants hackers complete remote control to record audio, read text messages, and wipe devices.
A massive new spying operation has been caught targeting Android users across 143 countries. The malware, known as Arsink, is what experts call a Remote Access Trojan (RAT). The team at zLabs (part of the security firm Zimperium) discovered the threat after finding 1,216 unique versions of the malicious software.
The ‘Pro’ App Trap
The interesting thing about this campaign is that hackers are not using the official Google Play Store to spread this, but posting links on Telegram and Discord or using the file-sharing site MediaFire.
As zLabs researchers explained in their detailed blog post, shared with Hackread.com, this is a rather simple trick where hackers impersonate more than 50 world-famous brands like WhatsApp, Instagram, YouTube, and TikTok.
They basically offer ‘Pro’ or ‘Mod’ versions of these apps, promising special features that the real apps don’t have. But, as soon as you download one, the app immediately asks for a long list of permissions.
As we know it, it is easy to just tap “allow” to get to the features, but researchers found that these apps are actually empty shells. They often hide their own icon as soon as they are installed, staying invisible while they work in the background. Some versions even come with a hidden second “payload” tucked inside the app, allowing the malware to infect your phone even if you are offline
How the Apps Gain Total Control
Once Arsink is inside, it starts a “continuous background service” to ensure it never turns off. Researchers noted that the malware has a terrifying list of abilities. This includes the ability to listen to your conversations through the microphone and steal your photos, read every text message you send or receive, and see your contacts, call history, and even your Google account email.
What’s even more troubling is that the hackers can even send live commands to your device. Furthermore, they can force your phone to make calls, track your exact location, and even perform a “destructive wipe” of your entire storage, the report reads. After all this, our private data is quietly sent back to the hackers using 317 different database points, including Firebase, Telegram bots, or hidden folders on Google Drive.
A Global Problem
This isn’t just happening in one place. The infection has a massive footprint, with about 45,000 devices hit so far, with the biggest clusters identified in Egypt (around 13,000 phones), Indonesia (7,000), and Iraq (3,000).
“Arsink is an opportunistic, mass-distribution threat rather than a regionally targeted campaign, leveraging brand impersonation and social platforms to achieve worldwide penetration,” researchers concluded.
While Zimperium worked with Google to shut down the malicious accounts and databases linked to the attack, the threat isn’t gone. Attackers can set up new “home bases” almost as fast as the old ones are closed. To stay safe, it is best to stick to the official App Store and avoid any “free” premium apps you see on social media.
RELATED TOPICS
- New Variant of ClayRat Android Spyware Seizes Full Device Control
- DroidLock Android Malware Locks Users Out, Spies via Front Camera
- Phantom Malware in Android Game Mods Hijacks Devices for Ad Fraud
- Millions of Android TVs, Streaming Devices Infected by Kimwolf Botnet
- Hackers Use KakaoTalk and Google Find Hub in Android Spyware Attack