17.12.2025
2 min
445
A new Android malware-as-a-service platform called Cellik allows attackers to build malicious versions of legitimate Google Play applications while preserving their original interface and functionality. This technique makes infections harder to detect and increases risks for Android users.
Cellik is being advertised on underground cybercrime forums as a fully featured MaaS tool offering extensive remote-control capabilities over infected devices. Threat actors can browse Google Play, select legitimate applications, and generate trojanized versions that closely resemble the originals.
Once installed, the app behaves normally from the user’s perspective, while the malware operates in the background. Cellik enables real-time screen streaming, notification interception, file access and exfiltration, filesystem browsing, and encrypted communication with command-and-control servers.
A particularly dangerous feature is its injection system, which allows attackers to overlay fake login screens or inject malicious code into installed applications, effectively turning trusted apps into credential-stealing tools.
The malware was discovered by mobile security researchers at iVerify. According to their findings, Cellik is sold via subscription for approximately $150 per month or through a lifetime license. It also includes a stealth browser mode that allows attackers to access websites using the victim’s stored cookies and active sessions. The malware’s developers claim that wrapping the payload inside popular apps may help bypass Google Play Protect, although this claim has not yet been independently confirmed.
Cellik highlights the growing sophistication of Android malware and its shift toward stealth, persistence, and abuse of trusted ecosystems. Even familiar applications can become attack vectors when distributed outside official channels, emphasizing the need for strong mobile security practices and cautious app installation habits.
