Threat Research, Threat intelligence

Android Arsink RAT Revisited Targeting User Credentials

by Anand Singh

The SonicWall Capture Labs threat research team identified an ongoing Android Remote Access Trojan (RAT) campaign that employs multiple techniques to harvest sensitive user information through phishing and data exfiltration activities by impersonating the actual app icons and using similar names. 

1_App_IconUsed.png
Fig 1: Impersonated App Icons Used in the Malware Campaign.

Additionally, the malware leverages Android Accessibility Services to automate interactions on infected devices and uses Firebase as its command-and-control (C2) infrastructure to facilitate remote communication, execute attacker-issued commands, and exfiltrate collected data. 

These capabilities enable threat actors to remotely manage infected devices, dynamically control malicious operations, and collect sensitive information, including SMS messages, contact lists, call logs, device details, and location data, potentially facilitating surveillance and further compromise of affected users.

Technical Analysis :

2_DeviceImage.png
Fig 2: Fake App Icon Displayed in the App Drawer.
During analysis, the malware was observed targeting Instagram credentials by displaying the login page in an embedded WebView and injecting JavaScript to capture usernames and passwords, which were then exfiltrated to a Firebase backend. The following diagram illustrates the credential harvesting process.
3_FlowDiagram.png
Fig 3: Arsink RAT infection chain targeting Instagram users.
The malware establishes a connection with Firebase as its command-and-control (C2) infrastructure to upload collected data and receive remote commands.
4_Firebase.png
Fig 4: Firebase details used for communication.
5_Instagram_login_pass.png
Fig 5: Read credentials from HTML inputs.

The malware reads SMS messages from the device, stores them in a hidden file located at “/.com.garena.cmdk/cms/.cmsdmp.txt”, verifies the file's existence, and uploads it to Firebase Storage.
6_Club_dumpSms.png
Fig 6: SMS exfiltration capabilities.

It has screen capture functionality that saves the current application screen as a timestamped PNG image on external storage.
7_CaptureScreen.png
Fig 7: Screen Capture
For reconnaissance, the malware enumerates installed applications by collecting their package names and sending the list to Firebase.
8_Retrieves_app_list.png
Fig 8: Retrieves installed app list
It also gathers device information, including the model, manufacturer, Android version, language, and screen resolution, and uploads this information to the backend.
9_DeviceInfo.png
Fig 9: Collects device information

Analysis of the command handlers showed that the Firebase backend delivers instructions enabling attackers to monitor users and remotely control device behaviour.

Commands

Description

openfolderbrowse storage
uploadfileexfiltrate files
sysinfocollect device info
dumpsmssteal SMS
deletefileremove files
openweburiopen URLs
dmpcalllogsteal call logs 
getgpslocationGPS tracking
getnetworklocationnetwork-based location
makefoldercreate folders
installedappsenumerate apps
shownotifyfake notifications
playsmusicplay media
deviceflashonflashlight on
deviceflashoffflashlight off
vibratedevicevibrate device
speachtexttext-to-speech 
changewallpapermodify wallpaper

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOCs)APK file’s SHA-256:
  • 3169795ef4ef482d13cfb4325dfeb74a567448ab16787e8f8235f1aaf75d8fcc
  • 379baa849fffa0a3d25805f9aa1ef6f0de70c320c76207f3a4c6726ed2b6678b
  • 39c1da95c640d72aff44d0ee98e597ef40ecd8899de336dfe4ba70e9c26fe42f
  • 4b4cd4ca93374a8534f79d3edc7855f04905142598498f3a8ae703d40102024b
  • 6a90cf5fa674155ade90992faa445ee5291664b4d3edf7ccedc26c1cec3318ee
  • 781387b1569a49996743e12eb0860eba02876e7612846c3815bd7b1ea1654dc0
  • 7a7c551825cd92cd09da74d722e884312cccd3f163e6edd0d61ea0fe90f1502b
  • 96687056304270686c3cc43f100690589a797fcff6f428ad983ce120283e8b04
  • e2d8ee77b5e3fd173cf2ec5f88fc75f01f338d252ef8586540bbe3d4d1564911
  • e8e485f99744068ac8f375d74586e0d31bad2f4e14d135e99d3c0fe3cfeab465

Share This Article

An Article By

Anand Singh

Threat Researcher
Anand is a cybersecurity researcher specializing in Android malware analysis, uncovering emerging mobile threats, reverse engineering malicious applications, and analyzing the evolving tactics and techniques used by cybercriminals to target users and their devices.