Google and independent cybersecurity researchers have issued warnings about a new Android malware strain known as Arsink, as more than one billion Android devices worldwide are now running software versions that no longer receive security updates.
Arsink is a Remote Access Trojan (RAT) designed to covertly monitor infected smartphones. Once installed, it allows attackers to read messages, access call logs, record audio, extract files, and intercept authentication codes used by banking and messaging applications.
According to mobile security firm Zimperium, Arsink has already infected more than 45,000 Android devices across 143 countries, with the highest concentration of cases reported in India, Indonesia, and Egypt.
“Arsink is particularly dangerous because it blends into trusted Android services and avoids detection by conventional security tools,” Zimperium researchers said in a statement released in early February 2026.
Google confirmed that Arsink is not distributed through the Google Play Store. Instead, attackers are spreading the malware through modified application packages, commonly referred to as “mod” or “premium” APKs.
These malicious files are shared through Telegram channels, Discord servers, file-hosting platforms such as MediaFire, and social media advertisements. The malware is commonly disguised as unofficial versions of popular apps, including WhatsApp, Instagram, and YouTube.
Once installed, the app requests extensive permissions, after which the malware activates silently in the background.
Researchers noted that Arsink disguises its network activity by leveraging Google Firebase and Google Apps Script, making it harder to identify as malicious traffic.
Google confirmed that devices running Android 12 or earlier no longer receive system-level security patches. Data from Moneycontrol and Android platform distribution figures indicate that approximately 42.1 per cent of Android devices globally are running unsupported versions.
This equates to roughly one billion smartphones that are no longer protected against newly discovered vulnerabilities.
Current Android version distribution shows:
- 57.9% of devices run Android 13 or newer
- 11.4% run Android 12
- 13.7% run Android 11
- 7.8% run Android 10
- 6.8% run Android 9 or older
Devices launched in 2021 or earlier are among the most affected.
Brands including Samsung, Xiaomi, Oppo, Vivo, and Motorola typically limit security support to a few years, leaving many still-functional devices without protection.
This contrasts with Apple’s update model. StatCounter data indicates that around 50 per cent of iPhones are running iOS 26, while an additional 40 per cent remain on iOS 18, both of which continue to receive security updates.
Google said its Play Protect service continues to operate on devices running Android 7 and newer, providing real-time malware scanning even on unsupported phones.
A Google spokesperson told Forbes:
“Play Protect continues to detect known malware on older devices, but it cannot replace missing system-level security updates, which are critical for defending against advanced threats.”
Security experts warn that relying on malware scanning alone leaves users vulnerable to spyware that exploits unpatched system vulnerabilities.
Cybersecurity specialists warn that infections can lead to credential theft, unauthorised access to financial apps, interception of one-time passwords, identity fraud, and direct financial losses.
“These risks are no longer theoretical,” analysts said, noting that spyware attacks increasingly target everyday users rather than high-profile individuals.
Google’s guidance to users is clear: devices that cannot upgrade beyond Android 12 should be replaced.
The company urged users not to purchase high-end smartphones, noting that modern mid-range devices running Android 13 or later receive monthly security updates and offer significantly stronger protection.
Users can check their device status by opening Settings → About phone → Android version
With Arsink already active and a large portion of the Android ecosystem frozen on unsupported software, security researchers expect similar malware campaigns to increase in 2026.
