Cellik Android Malware-as-a-Service Trojanizes Any Google Play App

Mobile security researchers at iVerify have discovered a new malware-as-a-service platform called Cellik that enables cybercriminals to create trojanized versions of virtually any application available on the Google Play Store. Priced at just $150 per month or $900 for lifetime access, the service dramatically lowers the barrier to entry for sophisticated Android attacks.

Weaponizing Legitimate Applications

What sets Cellik apart from typical Android malware is its ability to seamlessly inject malicious capabilities into legitimate applications while preserving their original functionality. Users downloading a trojanized app would see it work exactly as expected, unaware that comprehensive surveillance and data theft capabilities operate silently in the background.

The platform integrates directly with Google Play Store, allowing operators to browse available applications, select targets, and generate malicious variants automatically. The seller claims this technique may bypass Google Play Protect, though independent security researchers have not verified this assertion.

Comprehensive Surveillance Capabilities

The Cellik toolkit provides operators with extensive monitoring and control capabilities that rival commercial spyware products:

Real-Time Surveillance

• Live screen capture and streaming, allowing attackers to watch victim activity in real-time
• App notification interception, capturing messages from banking apps, authenticators, and communication platforms
• Filesystem browsing and targeted file exfiltration
• Remote data wiping for anti-forensics or extortion purposes

Credential Theft

• Overlay injection attacks that display fake login screens over legitimate applications
• Malicious code injection into running apps to intercept credentials at the point of entry
• Comprehensive account credential harvesting across multiple services

Hidden Browser Capability

Perhaps the most insidious feature is Cellik's hidden browser mode, which allows attackers to access websites using the victim's stored cookies and authenticated sessions. This capability enables direct access to banking portals, email accounts, and other sensitive services without triggering the authentication challenges that would alert victims to unauthorized access.

Command-and-Control Infrastructure

All communications between infected devices and operator infrastructure use encrypted channels, making network-based detection more challenging. The platform provides operators with a management interface for coordinating campaigns across multiple infected devices simultaneously.

The Economics of Mobile Malware

At $150 monthly, Cellik represents remarkable value for cybercriminals considering the capabilities provided. Traditional spyware development requires significant investment in development expertise, ongoing maintenance, and infrastructure. Malware-as-a-service platforms democratize access to these capabilities, enabling less sophisticated actors to conduct operations previously limited to well-resourced groups.

The lifetime pricing option at $900 suggests the operators expect long-term demand and have confidence in their ability to maintain the platform against defensive measures.

Distribution Challenges Remain

While Cellik simplifies malware creation, distribution remains a challenge for operators. Trojanized applications cannot be uploaded directly to Google Play Store due to security scanning. Instead, attackers typically rely on:

• Phishing campaigns directing victims to malicious download sites
• Third-party app stores with less rigorous security screening
• Social engineering through messaging platforms and social media
• Compromised legitimate websites serving malicious downloads

The effectiveness of any Cellik campaign ultimately depends on convincing victims to install applications from outside official channels, making user awareness a critical defensive layer.

Detecting Trojanized Applications

The challenge with trojanized applications is that traditional malware signatures may not detect them effectively, since the malicious code is injected into applications that vary with each generation. Organizations and individuals concerned about mobile threats should focus on behavioral indicators:

Warning Signs:

• Unusual battery drain or data consumption
• Apps requesting permissions beyond their stated functionality
• Device performance degradation after installing new applications
• Unexpected pop-ups or overlay screens, especially when accessing sensitive apps

Protective Measures:

• Only install applications from Google Play Store or verified enterprise sources
• Review requested permissions carefully before granting access
• Keep Android operating system and security patches current
• Consider mobile threat defense solutions for managed enterprise devices
• Enable Google Play Protect and heed its warnings

Organizational Implications

For enterprises with BYOD policies or managed mobile devices, Cellik represents a significant risk. A single infected device can provide attackers with access to corporate email, authentication tokens, and sensitive documents. Organizations should consider:

• Implementing mobile device management (MDM) with application allowlisting
• Deploying mobile threat defense solutions that detect behavioral anomalies
• Establishing clear policies prohibiting application installation from untrusted sources
• Conducting regular mobile security awareness training
• Enabling conditional access policies that verify device security posture

The Broader Trend

Cellik is the latest example of the continued professionalization of cybercrime. By packaging sophisticated capabilities into accessible, subscription-based services, criminal entrepreneurs are creating an ecosystem where technical expertise is no longer required to conduct advanced attacks.

For defenders, this means the volume and sophistication of mobile threats will likely continue increasing, even as the technical barriers to creating such threats decrease. Proactive security measures and user education remain the most effective countermeasures against this evolving threat landscape.