Sign in Subscribe

New Android Malware Cellik Disguises Itself as Legitimate Google Play Apps

New Android Malware Cellik Disguises Itself as Legitimate Google Play Apps

Researchers at iVerify have identified a new Android malware called Cellik being sold on underground forums through a malware-as-a-service model. What sets Cellik apart is its ability to impersonate legitimate applications from the Google Play Store.

The malware costs $150 per month or $900 for lifetime access. Cybercriminals who purchase Cellik can select virtually any app from the official Android store and create a weaponized copy that retains the original's interface and functionality. Victims receive what appears to be a working application that performs as expected while secretly exfiltrating data to attackers.

Cellik includes an APK file constructor with direct Google Play Store integration. This allows hackers to browse the application catalog and generate infected versions with minimal effort. The malware's developers claim these modified apps can bypass Play Protect security checks, though this assertion remains unverified.

Capabilities

The Trojan can:

  • Stream the infected device's screen in real-time
  • Intercept notifications from any application
  • Access the file system and exfiltrate data
  • Wipe all data from the compromised device
  • Maintain encrypted communication with command-and-control servers

Credential Theft

Cellik's credential-stealing features represent its most serious threat. The malware injects fake login screens that overlay legitimate applications. When users enter credentials—believing they're accessing a banking app or social network—attackers capture the information.

The malware also operates a hidden browser mode. Cybercriminals can use the infected device to visit websites using the victim's saved cookies, gaining account access without passwords and bypassing two-factor authentication.

Detection Challenges

Cellik can inject malicious code directly into applications already installed on a device. This makes infection detection extremely difficult—applications users have trusted for years can become compromised without visible changes.