The Play Store Predator: New Cellik Spyware Can Trojanize Any App With One Click

Researchers at iVerify have identified a new Android remote access trojan dubbed Cellik, which blends the capabilities of full-fledged spyware with the ability to masquerade as legitimate applications from Google Play. The malware is already circulating on underground marketplaces and is designed for mass adoption, including by attackers with minimal technical expertise.

Cellik grants comprehensive control over an infected device and enables continuous, real-time surveillance. Its arsenal includes live screen streaming paired with remote interface control, keystroke logging, access to the camera and microphone, and the ability to read all notifications. This allows attackers to intercept private messages and one-time codes displayed on the smartphone screen. The trojan also unlocks full access to the file system, including cloud storage directories, with options to download, delete, and exfiltrate data in encrypted form.

The report places particular emphasis on Cellik’s built-in stealth browser. Operating invisibly to the device owner, it allows attackers to remotely open websites, fill out forms, and follow links, while receiving a continuous stream of screenshots in real time. This mechanism can be exploited to access services with active sessions or to conduct phishing attacks, with credentials captured directly by the trojan.

Another especially dangerous capability is a module for code injection into other applications. Through it, attackers can overlay fake login windows atop banking or email apps, or extract data directly from them. The system supports simultaneous interaction with multiple applications, consolidating harvested information within a single command-and-control interface.

A defining feature of Cellik is its integration with Google Play. The control panel includes a tool that allows operators to select any legitimate app from the store and automatically embed the malicious payload within it. The result is a new installation package that appears indistinguishable from a genuine application. According to its vendors, this approach significantly improves the chances of evading Android’s built-in security checks and defenses.

The emergence of Cellik reflects the broader expansion of the “malware-as-a-service” ecosystem on Android. Such platforms offer turnkey tools for generating installers, managing infected devices, and orchestrating campaigns at scale. While Cellik is often compared to HyperRat, PhantomOS, and Nebula, it stands out for its direct Play Store integration and its extensive feature set, including location tracking, communications interception, cryptocurrency wallet theft, and detailed user behavior analysis.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy