Arsink: Android Malware Exploits Cloud Tools for Large-Scale Data Theft A sophisticated Android remote access trojan (RAT) dubbed Arsink has been uncovered, leveraging free cloud services to steal sensitive data and remotely control infected devices. Security firm Zimperium tracked the malware over several months, identifying 1,216 unique APK files, 317 Firebase command-and-control (C2) servers, and 45,000 victim IP addresses across 143 countries. ### Distribution & Deception Hackers distributed Arsink through Telegram channels, Discord posts, and MediaFire links, disguising it as modified or "pro" versions of popular apps from over 50 brands, including Google, YouTube, WhatsApp, Instagram, TikTok, and Facebook. Once installed, the malware requests excessive permissions, hides its icon, and operates covertly offering no legitimate functionality while harvesting data. ### Four Attack Variants Zimperium identified four primary Arsink variants, each using different cloud-based exfiltration methods: 1. Firebase + Google Apps Script – Small data (e.g., device info) is sent to Firebase Realtime Database, while larger files (photos, audio) are uploaded via Google Apps Script to Google Drive. 2. Telegram Exfiltration – SMS messages, call logs, and device details are transmitted directly to a hacker-controlled Telegram bot. 3. Embedded Dropper – A secondary payload is hidden within the app, extracted and renamed (e.g., Ai_App.zip to App.apk) without requiring internet downloads, evading detection. 4. Hybrid Cloud Abuse – Combines Firebase, Google Drive, and Telegram for data theft and command execution. ### Data Theft & Remote Control Arsink captures a full device snapshot, including: - Device details (model, battery, location, Google account emails) - SMS messages (including one-time passcodes) - Call logs & contacts - Microphone recordings (stored in cloud storage) - Photos & files (listed for potential upload) Attackers can remotely: - Toggle the flashlight, vibrate the phone, or play sounds - Change wallpaper, display messages, or speak text via text-to-speech - Initiate calls, manage files (upload, delete, wipe external storage) - Hide the app icon and maintain persistence via fake foreground notifications ### Global Impact & Victim Distribution The malware has infected users across the Middle East, Asia, Africa, Europe, and the Americas, with the highest concentrations in: - Egypt (13,000 infections) - Indonesia (7,000) - Iraq & Yemen (3,000 each) - Türkiye (2,000) - Pakistan & India (2,500 each) - Bangladesh (1,600) - Algeria & Morocco (1,000 each) India’s high infection rate correlates with frequent Telegram-based APK distribution. ### Mitigation & Response Zimperium collaborated with Google to dismantle malicious Firebase endpoints, Apps Scripts, and accounts. Google Play Protect now blocks known Arsink samples outside the Play Store. However, attackers rapidly adapt, making behavior-based detection critical for enterprises, particularly as the malware targets work-related credentials via SMS interception. Arsink’s use of legitimate cloud services for C2 operations highlights the growing challenge of detecting malware that blends into normal traffic.

Lone None Threat Group Deploys New Stealers via Fake Copyright Takedown Notices Since November 2024, the Lone None threat actor group has been orchestrating a sophisticated email campaign distributing two information stealers: Pure Logs Stealer and the newly identified Lone None Stealer (PXA Stealer). The campaign spoofs legal firms worldwide, using copyright infringement takedown notices as lures to trick recipients into executing malicious payloads. The emails, written in at least ten languages likely via machine translation or AI reference authentic Facebook accounts of victims to enhance credibility. Embedded links, often shortened via t[.]ee or g[.]su, redirect to free file-hosting services like Dropbox and MediaFire, where victims download an archive disguised as a PDF reader installer. In reality, the archive contains a repurposed Haihaisoft PDF Reader executable, a malicious DLL acting as a Python installer, legitimate documents, and files with mismatched extensions. Upon execution, the loader uses Windows certutil.exe to decode a disguised PDF archive, saving it under a different extension. A bundled WinRAR executable (renamed "images.png") extracts the decoded files into C:\Users\Public. The malicious DLL then launches a staged Python interpreter (svchost.exe), installing Python in the same directory and executing an obfuscated script. The script communicates with a Telegram bot C2 channel, where part of a paste[.]rs URL is stored in the bot’s bio. The script reconstructs the URL to fetch a secondary payload from 0x0[.]st, delivering either Pure Logs Stealer or Lone None Stealer. Both stealers employ Base64/Base85 encoding and AES encryption to evade detection. Lone None Stealer specifically targets cryptocurrency by monitoring the Windows clipboard for wallet addresses, replacing them with actor-controlled wallets for Bitcoin, Ethereum, and Solana. Observed wallet addresses include: - Bitcoin: `1DPguuHEophw6rvPZZkjBA3d8Z9ntCqm1L` - Ethereum: `0xd38c3fc36ee1d0f4c4ddaeebb72e5ce2d5e7646c` - Solana: `GQwKEEi49iKywE8ycnFsxRhxJTVf6YsoJb2vAFigc8` Earlier variants delivered XWorm and DuckTail, but recent attacks have streamlined to focus on Pure Logs Stealer’s RAT capabilities and Lone None Stealer’s cryptocurrency theft. Persistence is maintained via a registry Run key pointing to the staged Python interpreter. Defenders are advised to monitor for clandestine Python installations in C:\Users\Public\Windows, suspicious Run key entries, and anomalous executions of certutil.exe and WinRAR with renamed files. The campaign underscores the evolving tactics of threat actors in leveraging social engineering and unconventional C2 channels to distribute malware.