Cybersecurity researchers have identified Cellik, a sophisticated Android Remote Access Trojan combining comprehensive device surveillance capabilities with automated Google Play Store integration, enabling attackers to inject malicious code into legitimate applications with minimal technical expertise. The malware represents a significant escalation in Android-targeted threats, democratizing advanced mobile surveillance through a subscription-based malware-as-a-service model featuring a one-click APK builder, real-time screen monitoring, advanced keystroke logging, and credential harvesting systems capable of bypassing Google Play Protect detection mechanisms.
Once installed on target devices, Cellik provides operators with complete device takeover through an intuitive control panel enabling real-time screen streaming with minimal latency. Attackers effectively operate invisible Virtual Network Computing (VNC) sessions on compromised phones, simulating taps and swipes to control device interfaces remotely while remaining completely invisible to device owners.
The surveillance toolkit extends far beyond basic monitoring. Cellik intercepts all on-screen notifications including private messages, one-time passcodes (OTPs), and sensitive authentication attempts. The malware captures live notification streams from banking applications, messaging platforms, and email services, providing attackers comprehensive visibility into victim communications and authentication sequences.
The integrated keylogger module records all keyboard inputs across all applications, enabling attackers to harvest usernames, passwords, and sensitive information typed within banking apps, email clients, and social media platforms. Advanced encryption protects exfiltrated keystroke data, ensuring cybercriminals maintain confidential communication channels with command-and-control infrastructure.
Cellik's most alarming innovation involves seamless Google Play Store integration coupled with an automated one-click APK builder. Rather than requiring technical expertise in application repackaging, attackers can browse the entire Google Play Store catalogue directly through the Cellik control panel, select legitimate applications, and generate trojanized versions embedding the malware payload within trusted applications.
This innovation represents an unprecedented escalation in distribution efficiency. Previous Android malware required attackers to either develop malicious applications independently or possess technical skills to disassemble, modify, and recompile legitimate applications. Cellik eliminates these barriers entirely—attackers simply click "Index This Bank" or select any Play Store application, and the system automatically generates malicious APK files containing the original application functionality alongside hidden Cellik surveillance code.
The resulting files maintain original application branding, icons, and functionality, appearing entirely legitimate to users. Once installed, repackaged applications behave normally while Cellik operates silently in the background, collecting surveillance data and awaiting operator commands.
Complementing the APK builder functionality, Cellik incorporates an advanced injection system enabling simultaneous overlay attacks across multiple applications. Operators can deploy fake login screens over legitimate banking applications, email clients, and social media platforms without user visibility. Unsuspecting users entering credentials into overlaid login forms unknowingly transmit authentication data directly to attackers' command-and-control servers.
A hidden browser module operates completely invisibly on infected devices, enabling attackers to navigate websites, submit forms, and capture credentials without any on-screen indication to device owners. Attackers leverage saved cookies and autofill data to access accounts, execute phishing attacks, and intercept sensitive form data including passwords and payment information.
This hidden browser component represents a particularly insidious threat vector. Attackers can perform online banking transactions, complete fraudulent money transfers, or conduct credential-harvesting attacks entirely on the victim's device without generating any physical indicators of compromise.
Cellik extends beyond surveillance and control to include specialized targeting of cryptocurrency wallets. The malware can access and exfiltrate wallet seed phrases from popular platforms including Ledger, Metamask, and other cryptocurrency storage solutions. Complete file system access with encryption-protected exfiltration enables attackers to harvest any data stored on compromised devices.
Advanced location tracking capabilities enable real-time device location monitoring, enabling attackers to track victim movement patterns, identify frequented locations, and potentially facilitate physical targeting or blackmail operations.
Cellik exemplifies the troubling maturation of the Android malware-as-a-service market. Previous iterations including HyperRat, PhantomOS, and Nebula established subscription-based threat models, but Cellik's Play Store integration, feature breadth, and automation set new standards for accessibility and capability at commoditized price points.
Sophisticated mobile surveillance capabilities previously exclusive to advanced threat actors and nation-state-sponsored operations are now packaged in user-friendly subscription models, enabling low-skilled attackers to execute enterprise-grade spyware campaigns with minimal operational overhead. This democratization significantly expands the threat actor pool capable of deploying advanced mobile compromises.
Cellik developers claim the malware can bypass Google Play Protect detection by embedding payloads within trusted applications. While automated review systems typically flag suspicious packages, trojans hidden within repackaged legitimate applications may evade both Google's security systems and device-level scanners.
The trojanization approach introduces concerning implications for Play Store security. Legitimate developers' applications can be weaponized without modification to application code structure or security certificates, potentially enabling distribution through formal channels or side-loading networks that automated scanners fail to detect.
The Cellik emergence underscores that Android devices now face threats comparable in sophistication to desktop environments. Organizations and individuals require corresponding investments in mobile threat detection, behavioral analysis tools, and app security scanning to identify and neutralize these campaigns before widespread compromise occurs.
The widening gap between mobile operating system complexity and minimal effort required to exploit them at scale represents an fundamental shift in mobile threat dynamics, requiring comprehensive defensive evolution across both enterprise and consumer security architectures.