Cellik is a newly uncovered Android remote access trojan (RAT) that gives attackers extensive control over infected devices while operating under the guise of legitimate apps through Google Play Store integration.
First identified through cybercrime communities, Cellik packs a wide range of advanced capabilities typically associated with high-end spyware. These include real-time screen streaming, keystroke logging, remote access to the camera and microphone, stealth web browsing, notification harvesting, and an app-injection feature designed to steal data from other installed applications.
What sets Cellik apart is its seamless integration with Google Play Store apps. The malware includes a one-click APK builder that allows threat actors to embed its payload into legitimate applications, enabling discreet and large-scale distribution while reducing the risk of user suspicion.
Full Device Control and Live Surveillance
Once deployed on a victim’s smartphone, Cellik grants operators near-total control over the device. Attackers can view the screen live with minimal latency and remotely interact with the interface, effectively turning the phone into an invisible VNC-like session. This allows malicious actors to observe user activity in real time and perform actions such as taps and swipes as though they were physically handling the device.
Figure 1. Live screen streaming and remote device control displayed in the Cellik operator panel.
In addition to full UI access, Cellik is capable of intercepting all on-screen notifications. The malware collects both historical notifications and real-time alerts from any installed application, enabling operators to capture private messages, authentication prompts, and one-time passcodes as soon as they appear on the victim’s device.
Figure 2. Real-time keylogging module displayed within the Cellik control panel.
In addition to monitoring screen activity and keystrokes, Cellik provides unrestricted access to the device’s file system. Operators can browse local files, upload or download content, delete data, and even access cloud storage directories associated with the device. All file transfers and data exfiltration are encrypted, helping the malware remain stealthy and evade detection.
Figure 3. File manager module of the Cellik RAT, shown with the client-side context menu open.
Hidden Browser and Injection Capabilities
Cellik also supports active web abuse and phishing operations directly on compromised devices. The malware includes a hidden browser module that launches an invisible web session on the victim’s phone.
Through this concealed browser, attackers can remotely visit websites, click links, and complete forms without any visible activity appearing on the device’s screen. Screenshots from these sessions are streamed back to the operator in real time, providing continuous visibility into the browsing activity.
This capability allows threat actors to silently access websites using the victim’s stored cookies or automatically populate login fields on phishing pages. Any data entered into forms—such as passwords, personal details, or payment information—is captured by Cellik, enabling credential theft without the user’s awareness.
Figure 4. Interface of Cellik’s hidden browser module, used for stealth browsing and phishing activity.
Another key capability is Cellik’s injection framework, which allows attackers to deploy malicious overlays or code into other applications installed on the device. In real‑world scenarios, this can be used to display fake login screens over legitimate banking or financial apps, or to siphon sensitive data directly from within targeted applications.
Through the Cellik control panel, operators can manage active injections, track their execution status, and collect any information harvested during these attacks.
Figure 5. Feature list of Cellik RAT’s advertised “advanced injection system.”
Cellik includes an “injector lab” that allows attackers to design custom injection templates and deploy multiple injections simultaneously across different apps. For instance, an operator could activate a fake login overlay for Facebook while simultaneously running a Gmail overlay phishing attack. Credentials collected from both apps are sent back in real time to the command-and-control panel, giving attackers broad access to sensitive account data.
Google Play Store Integration and Custom APK Creation
One of Cellik’s most concerning capabilities is its direct integration with the Google Play Store, combined with an automated APK generation feature designed for malware distribution. From within the control panel, attackers can browse the full Play Store catalog and choose legitimate applications to serve as carriers for the Cellik payload.
With a single action, the toolkit generates a malicious APK that embeds the RAT into the selected app. This allows threat actors to take widely trusted apps—such as games, productivity tools, or utilities—and repackage them with Cellik’s code included.
By handling the entire process internally, Cellik significantly lowers the technical barrier for large-scale deployment, making it easier for attackers to distribute the malware under the appearance of legitimate software.
Figure 6. Cellik RAT’s advertised feature set for Play Store integration and APK generation.
According to the seller, Cellik is designed to evade Google Play security mechanisms by embedding its payload inside trusted applications, effectively bypassing Play Protect detection. While Play Protect is generally effective at identifying standalone malicious or unknown apps, trojans concealed within popular app packages may evade automated review processes and on-device security scans.
A Broader Shift Toward Android Malware‑as‑a‑Service
Cellik is not an outlier—it reflects a broader evolution in the Android malware ecosystem. As highlighted in earlier research on HyperRat, the Android malware‑as‑a‑service (MaaS) market has reached a level of maturity where even low-skilled threat actors can launch sophisticated mobile surveillance campaigns with minimal technical effort.
Vendors operating on underground forums now offer subscription-based RAT platforms that handle nearly every aspect of an attack, from malicious APK creation to cloud-hosted command-and-control infrastructure. Cellik’s capabilities closely resemble those found in other MaaS offerings such as HyperRat, PhantomOS, and Nebula, all of which combine silent app installation, credential harvesting, and remote device control within accessible, user-friendly management panels.
What truly distinguishes Cellik is its integration with Play Store apps and the sheer range of features it delivers at a relatively low cost. Beyond standard remote access, the toolkit offers advanced location tracking, live audio and video capture, communications monitoring, cryptocurrency wallet theft, and even AI‑assisted analysis of user behavior—capabilities once reserved for high-end spyware.
What This Means for Defenders
Cellik is a clear signal that advanced Android malware is no longer limited to well‑resourced cybercriminal groups. These tools are now packaged, marketed, and sold as ready‑to‑use products, lowering the barrier to entry for mobile espionage and fraud.
This shift underscores the importance of tracking emerging mobile threats as soon as they appear in underground ecosystems and translating that intelligence into actionable detections. By identifying new malware families early, defenders gain the visibility needed to understand how these tools operate and disrupt campaigns before they spread widely.
The objective is straightforward: detect mobile attacks early, understand their behavior, and stop them before they cause real damage.
Comments
Post a Comment