A new Android malware-as-a-service offering, known as "Cellik," demonstrates a shift in how threat actors bypass mobile security controls. Research published by Daniel Kelley, a research fellow with mobile security provider iVerify, details how this tool leverages the Google Play Store ecosystem to create modified versions of legitimate applications, turning trusted software into a delivery mechanism for unauthorized remote access.
While Android malware is common, Cellik distinguishes itself through its integration with legitimate app ecosystems. Rather than relying on technical exploits to compromise a device, it provides operators with an automated workflow to bundle malicious code with standard applications. This lowers the technical barrier for entry, allowing threat actors to conduct mobile surveillance campaigns with minimal development effort.
Operational Mechanics and Capabilities
Once installed on a target device, Cellik establishes a connection that grants the operator extensive control over the system. The iVerify analysis indicates that the malware functions as a comprehensive surveillance suite. It supports real-time screen streaming, allowing the operator to view and interact with the device interface remotely.
The tool provides access to sensitive data points, including:
Input Monitoring: A keylogger captures user inputs.
Notification Access: The malware intercepts on-screen notifications, which can expose one-time passcodes (OTPs) and message history.
File System Control: Operators can encrypt, transfer, or delete files stored on the device or linked cloud directories.
Browser Data: The tool can access cookies and auto-fill credentials.
Kelley notes that the malware includes a hidden browser capability. This allows the operator to navigate to websites, interact with links, and submit forms in the background without alerting the user. While these file transfers and communications are encrypted to avoid network-level detection, the activity occurs locally on the device.
The malware also features an injection builder. This component allows operators to deploy overlays—such as simulated login screens—on top of other applications to harvest credentials. These overlays are customizable, enabling the malware to target specific banking or social media applications installed on the phone.
Distribution via App Wrapping
Cellik’s primary evasion technique involves an automated builder that interacts with the Google Play Store. The service allows an operator to select a legitimate application, download it, and automatically wrap a payload around the clean software.
The resulting package retains the functionality of the original app but includes the malware in the background. According to Kelley, the sellers of Cellik claim this wrapping process helps bypass Google Play Protect detection. By embedding the malicious code inside a widely recognized application package, the malware attempts to evade automated security reviews and device-level scanners.
The distribution of these modified apps typically relies on social engineering. Kelley explained that operators distribute the files through channels where users are accustomed to "sideloading" applications—installing software from sources outside the official Google Play Store. The malware does not rely on software vulnerabilities; instead, it depends on the user’s trust in the application they believe they are installing.
Defending Against Modified Applications
The emergence of tools like Cellik highlights the importance of supply chain integrity for mobile applications. With subscription costs ranging including $150 per month and $900 for lifetime access, these tools are accessible to a wide range of threat actors.
For organizations protecting mobile fleets, the primary defense against this category of malware is strict application management. Security teams should prioritize the following measures:
Restrict Sideloading: Enforce policies that prevent the installation of applications from unknown sources. Restricting devices to official app stores significantly reduces the attack surface for wrapped malware.
Verify Application Integrity: If manual installation of APK files is necessary, strictly verify cryptographic hashes and signatures against the official developer’s release to ensure the code has not been modified.
Endpoint Visibility: Deploy mobile endpoint detection and response (EDR) solutions capable of flagging unauthorized processes or suspicious network connections initiated by installed applications.
Because Cellik operates by deceiving the user rather than breaking the operating system, user awareness regarding the risks of unofficial app sources remains a critical control.