Islamabad
Google has issued an urgent security warning after researchers uncovered a large-scale Android spyware campaign that has put an estimated 40% of Android devices globally at risk, including thousands of phones in Pakistan, highlighting the growing sophistication of mobile surveillance malware.
The malware, known as Arsink, is not a typical scam app or banking trojan. Security analysts describe it as a cloud-native Android Remote Access Trojan (RAT) designed for covert, long-term spying, capable of recording calls, intercepting messages, stealing credentials, and remotely controlling infected devices without alerting users.
Researchers at mobile security firm Zimperium identified 1,216 distinct malicious app variants, with hundreds abusing legitimate Google services such as Google Apps Script, Firebase Realtime Database, and Google Drive to exfiltrate data and manage command-and-control operations. Investigators traced the operation to more than 45,000 infected IP addresses across 143 countries, underlining its global reach.
Unlike malware typically distributed through app stores, Arsink spreads primarily through social engineering campaigns. The malicious apps are promoted via Telegram channels, Discord groups, third-party websites, and shared download links, often disguised as “mod” or “premium” versions of popular apps linked to platforms such as WhatsApp, Instagram, YouTube, Spotify, Facebook, and TikTok.
Pakistan was among the most affected countries, with researchers estimating around 2,500 infected devices, alongside major clusters in Egypt, Indonesia, Iraq, Yemen, Türkiye, India, and Bangladesh. Analysts note that regions where sideloading APK files and Telegram sharing are common face heightened exposure.
Once installed, the spyware aggressively exploits Android’s permission system, enabling attackers to read SMS messages, bypass two-factor authentication, record phone calls and ambient audio, capture screenshots, steal stored files, and execute remote commands through encrypted servers. Victims are often unaware their phones are compromised.
Google confirmed that Arsink samples were not distributed through the Play Store and said devices with Google Play Protect enabled will receive automatic warnings and protection. The company added that it is working with security researchers to dismantle parts of the malware’s cloud infrastructure, including several malicious endpoints.
Cybersecurity experts have urged Android users—particularly in Pakistan—to avoid installing apps from unofficial sources, review app permissions carefully, and ensure Play Protect remains active, warning that mobile spyware is rapidly evolving into commercial-grade surveillance tools with serious privacy and security implications.
