‘Cellik’ Android RAT Leverages Google Play Store
Summary
Cellik is a remote access Trojan (RAT)-as-a-service that integrates with the Google Play ecosystem to create and distribute poisoned Android apps. Researchers at iVerify describe Cellik as offering full device control (screen streaming, remote interaction), keylogging, notification harvesting (including one‑time passcodes), file system access and exfiltration, and a hidden browser that can act without the user seeing activity on their screen.
What sets Cellik apart is its app-wrapping and Play Store automation: the service can download legitimate APKs from the Play Store, wrap them with a Cellik payload, and produce a repackaged APK for distribution. The toolkit also includes an injector builder for malicious overlays (fake login screens) and claims methods to evade Play Protect. Cellik is sold on a subscription model, making such capabilities accessible to low-skilled criminals who rely on social engineering and sideloading to spread the malware.
Key Points
- Cellik is a RAT-as-a-service that grants attackers near-complete remote control of compromised Android devices.
- Features include screen streaming, remote control, keylogging, notification capture (including OTPs), full file access and encrypted exfiltration.
- Notable capability: an automated APK builder that fetches Play Store apps and wraps them with a Cellik payload for distribution.
- Injector builder enables malicious overlays on other apps to harvest credentials and perform stealthy interaction.
- Distribution relies largely on sideloading and social engineering rather than exploiting Android vulnerabilities.
- Pricing is aimed at a wide criminal market (examples cited: roughly $150/month to $900 lifetime), lowering the barrier to entry.
- Defence advice: avoid sideloading, verify APKs/hashes if manual installs are unavoidable, keep mobile security tools/EDR up to date, and train users on social engineering risks.
Why should I read this?
Short version: if you or your users run Android phones, this matters. Cellik makes it stupidly easy for crooks to wrap malware in otherwise-trusted apps and trick people into installing them. Read this so you know to stop random APKs, train users, and tighten mobile defences — it could save you a nasty incident and a long cleanup.
Author’s take
Punchy and to the point: Cellik is another sign that mobile malware is maturing into an on-demand service. For security teams this isn’t academic — it’s a realistic, low-cost threat that leverages human trust and sideloading. If you manage endpoints or mobile policy, lock down install paths and reinforce user awareness now.