Threat actors offering remote access Trojan services are leveraging the Google Play Store to publish maliciously modified Android apps, enabling unauthorized control over users’ devices.

According to new research published this week by  Daniel Kelley of iVerify, the RAT known as Cellik  represents a notable evolution in Android malware. Beyond standard high-level capabilities such as complete control of infected devices, Cellik stands out for its Play Store integration, enabling threat actors to embed the malware inside legitimate-looking Android apps.

As an x-as-a-service offering, Cellik reflects the growing commoditization of cybercrime. Entry-level attackers no longer need advanced expertise, as they can simply pay for fully operational packages that include ransomware, credential stealers, phishing frameworks, C2 infrastructure, and additional attack components.

According to Kelley, Cellik exemplifies a wider trend in Android malware development, where increasing sophistication and accessibility now allow attackers with limited technical skills to deploy and manage mobile spyware operations with ease. 

Inside the operations of the Cellik RAT 

Once Cellik is successfully installed on a victim’s Android device, the attacker gains complete control, according to iVerify’s blog. The malware is capable of live screen streaming, allowing the attacker to remotely operate the device as though they were physically holding it.

A Cellik operator gains extensive visibility and control over an infected device, including access to a keylogger, all on-screen notifications and alert history, one-time passcodes, the entire file system, and sensitive browser data such as cookies and auto-fill credentials. In effect, the attacker can access virtually everything the legitimate user can.

"The controller can browse through all files on the device, download or upload files, delete data, and even access cloud storage directories linked to the phone. All file transfers and exfiltration are done with encryption to avoid detection," Kelley wrote. Moreover, "The attacker can remotely navigate to websites, click links, and fill out forms through this hidden browser, all without the phone's owner seeing any activity on their screen."

Individually, Cellik’s features may not be groundbreaking, but their impact is amplified by the malware’s app injection and Play Store capabilities. Through app injection, attackers can superimpose fraudulent interfaces over legitimate apps on an infected device to capture credentials, supported by an injector builder that can be configured for a wide range of applications.

Cellik’s Google Play functionality includes an automatic APK generation tool that directly interacts with the Play Store. This tool allows attackers to select and download genuine apps, inject them with a Cellik malicious payload, and bundle the resulting APKs for further distribution.

"The seller claims Cellik can bypass Google Play security features by wrapping its payload in trusted apps, essentially disabling Play Protect detection," Kelley wrote. "While Google Play Protect typically flags unknown or malicious apps, Trojans hidden inside popular app packages might slip past automated reviews or device-level scanners." 

Key takeaways and defense strategies against Cellik 

iVerify notes that although comparable RATs exist on the market, Cellik differentiates itself through its Play Store integration and the depth of its feature set relative to cost, with pricing starting at $150 per month and extending up to $900 for lifetime use.

For defenders, iVerify notes that although mobile security tools can help identify malware such as Cellik, staying informed about social engineering methods and being vigilant about app downloads is often the strongest line of defense.

"Stick to official app stores to minimize exposure to malicious apps. Avoid sideloading unless absolutely necessary, and if you must install APKs manually, verify hashes and signatures before doing so," Kelley says. "Having an [endpoint detection and response] solution also helps so it can flag issues as a user initiates a download and mitigates issues early if a malicious app does make its way through."