Arsink: Android Malware Exploits Cloud Tools for Large-Scale Data Theft A sophisticated Android remote access trojan (RAT) dubbed Arsink has been uncovered, leveraging free cloud services to steal sensitive data and remotely control infected devices. Security firm Zimperium tracked the malware over several months, identifying 1,216 unique APK files, 317 Firebase command-and-control (C2) servers, and 45,000 victim IP addresses across 143 countries. ### Distribution & Deception Hackers distributed Arsink through Telegram channels, Discord posts, and MediaFire links, disguising it as modified or "pro" versions of popular apps from over 50 brands, including Google, YouTube, WhatsApp, Instagram, TikTok, and Facebook. Once installed, the malware requests excessive permissions, hides its icon, and operates covertly offering no legitimate functionality while harvesting data. ### Four Attack Variants Zimperium identified four primary Arsink variants, each using different cloud-based exfiltration methods: 1. Firebase + Google Apps Script – Small data (e.g., device info) is sent to Firebase Realtime Database, while larger files (photos, audio) are uploaded via Google Apps Script to Google Drive. 2. Telegram Exfiltration – SMS messages, call logs, and device details are transmitted directly to a hacker-controlled Telegram bot. 3. Embedded Dropper – A secondary payload is hidden within the app, extracted and renamed (e.g., Ai_App.zip to App.apk) without requiring internet downloads, evading detection. 4. Hybrid Cloud Abuse – Combines Firebase, Google Drive, and Telegram for data theft and command execution. ### Data Theft & Remote Control Arsink captures a full device snapshot, including: - Device details (model, battery, location, Google account emails) - SMS messages (including one-time passcodes) - Call logs & contacts - Microphone recordings (stored in cloud storage) - Photos & files (listed for potential upload) Attackers can remotely: - Toggle the flashlight, vibrate the phone, or play sounds - Change wallpaper, display messages, or speak text via text-to-speech - Initiate calls, manage files (upload, delete, wipe external storage) - Hide the app icon and maintain persistence via fake foreground notifications ### Global Impact & Victim Distribution The malware has infected users across the Middle East, Asia, Africa, Europe, and the Americas, with the highest concentrations in: - Egypt (13,000 infections) - Indonesia (7,000) - Iraq & Yemen (3,000 each) - Türkiye (2,000) - Pakistan & India (2,500 each) - Bangladesh (1,600) - Algeria & Morocco (1,000 each) India’s high infection rate correlates with frequent Telegram-based APK distribution. ### Mitigation & Response Zimperium collaborated with Google to dismantle malicious Firebase endpoints, Apps Scripts, and accounts. Google Play Protect now blocks known Arsink samples outside the Play Store. However, attackers rapidly adapt, making behavior-based detection critical for enterprises, particularly as the malware targets work-related credentials via SMS interception. Arsink’s use of legitimate cloud services for C2 operations highlights the growing challenge of detecting malware that blends into normal traffic.

Billions of Stolen Cookies Flood Dark Web, Exposing User Accounts and Personal Data A recent investigation by NordVPN and threat exposure platform NordStellar has uncovered a massive trove of stolen internet cookies—approximately 93.7 billion—available for sale on dark web marketplaces. The analysis, conducted between April 23 and April 30, 2025, examined data from Telegram channels, revealing that 15.6 billion of these cookies were still active, posing an immediate security risk. The stolen cookies contained sensitive data, including user IDs (18 billion), session tokens (1.2 billion), names, email addresses, locations, and even passwords. Session cookies, in particular, allow attackers to hijack active user sessions, granting unauthorized access to accounts without requiring passwords. The compromised data also enables targeted phishing attacks and identity theft. The majority of stolen cookies originated from major platforms, with Google services accounting for over 4.5 billion, followed by YouTube and Microsoft (each over 1 billion). The primary theft method involved malware, particularly infostealers like Redline, which was responsible for stealing nearly 42 billion cookies. The findings highlight the growing threat of cookie-based attacks, where seemingly harmless browser files become tools for cybercriminals to exploit personal and corporate security.