Cellik represents a significant evolution in Android Remote Access Trojan capabilities, introducing sophisticated device control and surveillance features previously reserved for advanced spyware.
This newly identified RAT combines full device takeover with an integrated Google Play Store connection, allowing attackers to seamlessly embed malicious code into legitimate applications.
The malware has emerged through cybercrime networks with a focus on making mobile attacks accessible to operators of varying technical skill levels, marking a shift toward democratized Android threats.
The malware operates with alarming precision once installed, providing attackers with complete control over target devices.
Upon execution, Cellik streams device screens in real time with minimal latency, allowing operators to view victim activity as if accessing an invisible VNC session.
.webp "Cellik Android Malware with One-Click APK Builder Let Attackers Wrap its Payload Inside with Google Play Store Apps 2")
Attackers can interact remotely by simulating taps and swipes on the infected screen, effectively controlling the device from a distance.
The RAT intercepts all on-screen notifications, including private messages and one-time passcodes, giving operators comprehensive visibility into user communications and sensitive authentication attempts.
iVerify analysts identified Cellik as featuring an advanced injection system that enables overlay attacks and credential harvesting from banking applications and other sensitive platforms.
.webp "Cellik Android Malware with One-Click APK Builder Let Attackers Wrap its Payload Inside with Google Play Store Apps 4")
This injection toolkit permits attackers to deploy fake login screens over legitimate apps or intercept data from within installed applications, with the control panel allowing operators to manage multiple simultaneous injections across different apps without user visibility.
Problematic aspect
The most problematic aspect involves Cellik’s built-in APK builder with Google Play Store integration.
This feature enables attackers to browse the entire Google Play Store catalogue directly through the RAT interface, select legitimate applications, and automatically generate malicious APK files that wrap the Cellik payload inside trusted apps.
The process requires just one click, allowing even low-skilled operators to create convincing trojanized versions of popular games and utilities.
.webp "Cellik Android Malware with One-Click APK Builder Let Attackers Wrap its Payload Inside with Google Play Store Apps 5")
The malware allegedly bypasses Google Play Protect detection by concealing its payload within established applications, potentially circumventing automated security reviews and device-level scanners that typically identify suspicious new applications.
Cellik extends beyond surveillance and control, incorporating file system access for data exfiltration with encryption, a hidden browser for unauthorized website access and phishing, cryptocurrency wallet theft capabilities, and location tracking functionality.
As Android malware-as-a-service platforms continue to mature, Cellik exemplifies how sophisticated mobile threats are now packaged in user-friendly subscription models, enabling widespread deployment with minimal technical effort for attackers.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
