A newly discovered Android Remote Access Trojan (RAT) called Cellik is democratizing sophisticated mobile surveillance attacks by bundling advanced spyware capabilities with an automated tool that allows attackers to inject malicious code into legitimate Google Play Store applications seamlessly.
The malware address a significant escalation in Android-targeted threats, combining complete device control, real-time surveillance, and an unprecedented ease of distribution through the world’s largest mobile app marketplace.
Once installed on a target device, the RAT provides operators with complete device control through an intuitive dashboard that enables real-time screen streaming, remote UI manipulation, and essentially functions as an invisible VNC session on the compromised phone.
The malware’s surveillance toolkit is comprehensive: it captures live notifications, including private messages and one-time passcodes; logs keystrokes; accesses the entire file system with encryption-protected exfiltration; and controls the device’s camera and microphone for covert multimedia capture.
Cellik emerges from cybercrime networks as a turnkey malware-as-a-service platform, offering capabilities traditionally associated with nation-state-level spyware and enterprise security tools.
What distinguishes Cellik from previous Android RAT offerings is its integration with the Google Play Store and its built-in one-click APK builder.
Rather than requiring technical expertise to repackage applications, attackers can directly browse the Play Store catalogue through Cellik’s control panel, select legitimate applications, and automatically generate trojanized versions with the malware payload embedded inside.
This innovation effectively bypasses traditional distribution barriers and significantly increases the likelihood of successful installations across target demographics.
Cellik Android Malware
The malware includes a hidden browser module that operates invisibly on infected devices, enabling attackers to navigate websites, submit forms, and capture credentials without any on-screen indication to the device owner.
Cybercriminals can leverage saved cookies to access accounts, execute phishing attacks, and intercept sensitive form data, including passwords and payment information.
Complementing this capability is Cellik’s advanced injection system, which allows threat actors to deploy malicious overlays across multiple applications simultaneously enabling simultaneous attacks against banking apps, social media platforms, and email services with harvested credentials funneled back to command-and-control infrastructure.
The seller’s claim that Cellik can bypass Google Play Protect detection by embedding its payload within trusted applications represents a concerning development in mobile security.
While automated review systems typically flag suspicious packages, trojans hidden within repackaged versions of legitimate apps may evade both Google’s security systems and device-level scanners.
Cellik’s emergence reflects a broader maturation of the Android malware-as-a-service market.
One-Click APK Builder
Previous iterations like HyperRat, PhantomOS, and Nebula established the subscription-based threat model, but Cellik’s Play Store integration and feature breadth including advanced location tracking, AI-driven behavioral analysis, and cryptocurrency wallet targeting set new standards for accessibility and capability at commoditized price points.
Organizations and individuals must recognize that Android devices now face threats comparable in sophistication to desktop environments, requiring corresponding investment in mobile threat detection, app security scanning, and behavioral analysis tools to identify and neutralize these campaigns before widespread compromise occurs.
The threat underscores a critical reality: sophisticated mobile surveillance is no longer exclusive to advanced threat actors.
Subscription-based malware platforms have eliminated technical barriers, enabling low-skilled attackers to execute enterprise-grade spyware campaigns with minimal operational overhead.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.