Cellik is a groundbreaking Android Remote Access Trojan (RAT)that has revolutionized malware distribution by directly integrating with the Google Play Store, allowing attackers to weaponize legitimate apps for stealthy infections. Emerging in late 2025, this malware-as-a-service (MaaS) tool sells for as little as $150 on underground forums, enabling even low-skill cybercriminals to gain near-complete control over victim devices.
Overview: What Makes Cellik Different
Cellik stands out as one of the most insidious Android threats due to its seamless Play Store exploitation. Unlike conventional RATs that rely on phishing or sideloading, Cellik’s web-based panel lets operators browse the Play Store in real-time, select high-download apps such as games or productivity tools, and automatically repackage them with the RAT payload using a one-click builder interface. This process involves downloading the original APK, injecting obfuscated modules via smali code manipulation, re-signing the application using spoofed certificates, and generating a distributable file that mimics the genuine app’s signature and metadata. Once users install these trojanized applications—often promoted via fake ads or third-party sites—the RAT activates silently, requesting permissions incrementally to avoid raising suspicion..
Researchers at iVerify first analyzed Cellikin mid-December 2025, revealing its modular architecture built on Java and native libraries for persistence and evasion. It draws inspiration from predecessors like HyperRat and AhMyth but innovates with Play Store-specific automation, potentially enabling large-scale infections across the global Android ecosystem.
Detailed Capabilities Breakdown
Cellik’s feature set provides attackers with near-total control over infected devices. Here’s an exhaustive look at its arsenal:
Live Screen Streaming and Remote UI Control: The RAT captures and mirrors the screen in real-time at high fidelity (up to 30 FPS), allowing attackers to interact with the UI via touch emulation. This enables navigating apps, filling forms, or executing transactions without the victim’s knowledge— making it ideal for banking fraud, account takeover, and data exfiltration..
Advanced Keylogging and Clipboard Monitoring: Every keystroke across all apps, browsers, and system inputs is logged and exfiltrated via encrypted channels. Clipboard access captures copied passwords, API keys, and cryptocurrency recovery phrases, while notification interception hides antivirus alerts or two-factor codes.
Overlay-Based Credential Phishing: Cellik’s injection engine overlays fraudulent interfaces on top of legitimate apps (e.g., Gmail login, banking dashboards, or WhatsApp). These pop-ups prompt credential re-entry, harvesting data instantly and blending seamlessly with the native UI to defeat user skepticism.
Multimedia Surveillance Suite: Remote activation of front/rear cameras, microphone for call eavesdropping, and GPS for precise location tracking. Recorded media uploads to the C2 server, enabling blackmail, surveillance, stalking, and targeted fraud campaigns..
File System Mastery: Bidirectional file operations allow browsing, uploading, downloading, or wiping directories, including rooted access to secure folders or SD cards. Specialized modules target crypto wallets (e.g., MetaMask, Trust Wallet), exporting seeds or simulating transfers.
Persistence, Stealth, and Evasion Mechanisms: Boot-time receivers, accessibility service abuse, and dynamic code loading ensure survival through reboots, factory resets or antivirus scans. A hidden WebView browser facilitates session hijacking by cloning cookies from banking sites.
Network and Command Infrastructure: All traffic routes through a hardened C2 panel with Telegram bot integration for push notifications. Commands are obfuscated with AES encryption and domain generation algorithms to bypass firewalls and DPI.
These capabilities operate via a polished, SaaS-like dashboard resembling legitimate remote desktop tools, complete with device lists, live previews, and export logs.
How Cellik Abuses the Play Store Ecosystem
The heart of Cellik’s danger is its Play Store bundler. Attackers log into the panel, query apps by name or category, and the tool fetches APKs directly (bypassing download restrictions via proxies). Injection preserves app functionality to dodge behavioral detection, while minor UI tweaks (e.g., altered icons) aid impersonation. Distributed via web redirects or Telegram channels, these APKs often rank high in search results for “free premium” versions. Google Play Protect’s static analysis often fails in this scenario, as the payload hides in benign modules until triggered remotely.
Historical Context and Evolution
Android RATs date back to early tools such as AndroRAT in the 2010s, evolving through DroidJack and QuasarRAT into modern MaaS like Cellik. Its 2025 debut coincides with tightened Play Store policies post-2024 malware waves, ironically exploiting vetting loopholes. Underground forum sales reportedly spiked following the iVerify disclosure, with bundles including crypters and loaders for $150-300/month.
Real-World Infections and Case Studies
Early 2025 reports link Cellik to campaigns targeting fitness trackers, VPN apps, and casual games—genres with lax reviews. Victims across Southeast Asia and Europe reported drained PayPal accounts and spied family photos, with one enterprise BYOD breach exposing 500+ devices. At the time of writing, no official Google takedown statistics were available, but forum chatter suggests 1,000+ kits sold.
Technical Analysis Highlights
Disassemblies show Cellik using Frida-like hooks for runtime manipulation and ProGuard obfuscation. Payloads average 5-10MB, with C2 domains rotating weekly. YARA rules for detection focus on strings like “cellik_panel” or API calls to AccessibilityService.enable().
| Feature | Cellik | HyperRat | AhMyth |
| Play Store Bundler | Yes (1-click) | No | No |
| Screen Resolution | HD (1080p+) | SD | HD |
| Price | $150/mo | $100/mo | Free |
| Persistence | Boot + Reset | Boot Only | Basic |
| Overlay Attacks | Advanced | Basic | None |
Risk Assessment: Impact on Users and Enterprises
Individuals face identity theft and financial ruin; enterprises risk IP leaks via shadow IT. High-risk sectors: finance, healthcare, government. Infection vectors also extend to repackaged APKs on sites like APKPure or via SMS lures.
Comprehensive Prevention Guide:
User-Level Preventive Measures: Download only from official Play Store; verify developer (e.g., Google LLC) and read recent reviews for red flags like “crashes after login.”
Security Layers: Activate Play Protect, Google auto-updates, and app permission audits. Install Malwarebytes or Bitdefender for behavioral scanning.
Advanced Tools: Use Hypatia (GrapheneOS AV) or enterprise MDM like Intune for anomaly alerts.
Behavioral Checks: Watch for battery drain, pop-up lags, or unknown network activity via apps like GlassWire.
Response Protocol: If infected, factory reset, change all passwords via clean device, scan with multiple AVs, and monitor accounts.
Future Outlook and Security Recommendations
Cellik variants may hit iOS via TestFlight or expand to Wear OS/TV. Google pledged enhanced ML scanning in Q1 2026; users should advocate for better transparency. Researchers urge reporting suspicious APKs to Google via Play Console.
References:
iVerify Blog: “Meet Cellik – A New Android RAT With Play Store Integration” (Dec 14, 2025) – https://iverify.io/blog/meet-cellik—a-new-android-rat-with-play-store-integration
CyberInsider: “New Android RAT ‘Cellik’ emerges with Play Store integration” (Dec 15, 2025) – https://cyberinsider.com/new-android-rat-cellik-emerges-with-play-store-integration/
SecurityWeek: “New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps” (Dec 17, 2025) – https://www.securityweek.com/new-150-cellik-rat-grants-android-control-trojanizes-google-play-apps/
DarkReading: ‘Cellik’ Android RAT Leverages Google Play Store” (Dec 18, 2025) – https://www.darkreading.com/threat-intelligence/cellik-android-rat-leverages-google-play-store
