The SonicWall Capture Labs threat research team identified an ongoing Android Remote Access Trojan (RAT) campaign that employs multiple techniques to harvest sensitive user information through phishing and data exfiltration activities by impersonating the actual app icons and using similar names.
Fig 1: Impersonated App Icons Used in the Malware Campaign.
Additionally, the malware leverages Android Accessibility Services to automate interactions on infected devices and uses Firebase as its command-and-control (C2) infrastructure to facilitate remote communication, execute attacker-issued commands, and exfiltrate collected data.
These capabilities enable threat actors to remotely manage infected devices, dynamically control malicious operations, and collect sensitive information, including SMS messages, contact lists, call logs, device details, and location data, potentially facilitating surveillance and further compromise of affected users.
Technical Analysis :
Fig 2: Fake App Icon Displayed in the App Drawer.
During analysis, the malware was observed targeting Instagram credentials by displaying the login page in an embedded WebView and injecting JavaScript to capture usernames and passwords, which were then exfiltrated to a Firebase backend. The following diagram illustrates the credential harvesting process.
Fig 3: Arsink RAT infection chain targeting Instagram users.
The malware establishes a connection with Firebase as its command-and-control (C2) infrastructure to upload collected data and receive remote commands.
Fig 4: Firebase details used for communication.
Fig 5: Read credentials from HTML inputs.
The malware reads SMS messages from the device, stores them in a hidden file located at “/.com.garena.cmdk/cms/.cmsdmp.txt”, verifies the file's existence, and uploads it to Firebase Storage.
Fig 6: SMS exfiltration capabilities.
It has screen capture functionality that saves the current application screen as a timestamped PNG image on external storage.
Fig 7: Screen Capture
For reconnaissance, the malware enumerates installed applications by collecting their package names and sending the list to Firebase.
Fig 8: Retrieves installed app list
It also gathers device information, including the model, manufacturer, Android version, language, and screen resolution, and uploads this information to the backend.
Fig 9: Collects device information
Analysis of the command handlers showed that the Firebase backend delivers instructions enabling attackers to monitor users and remotely control device behaviour.
Commands
Description
openfolder
browse storage
uploadfile
exfiltrate files
sysinfo
collect device info
dumpsms
steal SMS
deletefile
remove files
openweburi
open URLs
dmpcalllog
steal call logs
getgpslocation
GPS tracking
getnetworklocation
network-based location
makefolder
create folders
installedapps
enumerate apps
shownotify
fake notifications
playsmusic
play media
deviceflashon
flashlight on
deviceflashoff
flashlight off
vibratedevice
vibrate device
speachtext
text-to-speech
changewallpaper
modify wallpaper
SonicWall Protections
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOCs)APK file’s SHA-256:
Anand is a cybersecurity researcher specializing in Android malware analysis, uncovering emerging mobile threats, reverse engineering malicious applications, and analyzing the evolving tactics and techniques used by cybercriminals to target users and their devices.