The Silent Hijacker: New Cellik Android RAT Turns Legitimate Google Play Apps into Surveillance Tools

A sophisticated new Android Remote Access Trojan (RAT) has surfaced in cybercrime networks, offering attackers a “turnkey” solution to hijack smartphones by piggybacking on legitimate applications. A new report from iVerify details the capabilities of Cellik, a Malware-as-a-Service (MaaS) platform that bundles advanced espionage features with a terrifyingly simple distribution method: wrapping malicious code inside trusted Google Play Store apps.

Cellik is not just another piece of malware; it represents a maturation of the mobile threat landscape where high-end surveillance tools are becoming accessible to low-skilled cybercriminals.

According to the report, Cellik is being marketed on underground forums as a comprehensive spyware solution. For a subscription fee starting at just $150 per month, attackers gain access to a dashboard that rivals state-sponsored tools.

“Discovered via cybercrime networks, Cellik comes packed with capabilities previously seen only in advanced spyware,” the report states. These features include “real-time screen streaming, keylogging, remote camera/microphone access, hidden web browsing, notification interception, and even an app-injection system for stealing data from other apps”.

Once installed, Cellik grants the operator total dominion over the victim’s device. The RAT features a VNC-like capability, allowing the attacker to view the screen in real-time and remotely control the user interface with minimal lag.

“This means an attacker can watch the victim’s screen live with minimal lag and simulate taps or swipes as if holding the device”.

Beyond passive monitoring, Cellik actively engages in fraud. It includes a “hidden browser” module that runs invisibly in the background. Attackers can use this to navigate to banking sites or phishing pages using the victim’s own session cookies, all while the phone owner remains oblivious. “The attacker can remotely navigate to websites, click links, and fill out forms through this hidden browser, all without the phone’s owner seeing any activity on their screen”.

Perhaps the most alarming feature of Cellik is its Play Store integration. The malware includes an automated “APK Builder” that allows attackers to browse the Google Play Store catalog directly from their control panel, select a popular legitimate app, and inject the Cellik payload into it.

“What sets Cellik apart is its Play Store app integration and the sheer breadth of its capabilities for the price point”.

By bundling the RAT inside a functional, recognizable application (like a game or utility), attackers increase the likelihood of installation and aim to bypass security filters. “The seller claims Cellik can bypass Google Play security features by wrapping its payload in trusted apps, essentially disabling Play Protect detection”.

Cellik is part of a broader trend of “turnkey” Android malware platforms, joining the likes of HyperRat, PhantomOS, and Nebula. These services lower the barrier to entry for cybercrime, allowing anyone with a few hundred dollars to run a sophisticated mobile spyware campaign .

With a lifetime license costing $900, Cellik offers a disturbingly affordable path for threat actors to harvest crypto-wallets, intercept 2FA codes, and conduct AI-driven analysis of user behavior.

Related Posts:

• Apple’s Spyware Detection: Only 50% Effective?
• iVerify Unveils Disturbing Prevalence of Pegasus Spyware on Mobile Devices
• New Zero-Click iPhone Exploit “NICKNAME” Targeted High-Profile Individuals Across the US and EU
• The Trust Trap: Phishing Attacks Weaponize Security Tools by Abusing Proofpoint & Intermedia Link Wrapping