A new Android malware-as-a-service (MaaS) known as Cellik has emerged on underground cybercrime forums, presenting a sophisticated suite of capabilities designed to exploit unsuspecting users. For a subscription fee of 0 per month or a one-time payment of 0 for lifetime access, this malware can be embedded into any app available on the Google Play Store, allowing attackers to create seemingly legitimate trojanized versions of popular applications.
Cellik’s design enables it to maintain the original app’s interface and functionality, making it challenging for users to detect any malicious activity. The malware’s ability to blend in with trusted applications means that infections can persist undetected for extended periods. While the seller claims that this method may help bypass Google Play Protect, the validity of this assertion remains unverified.
Cellik capabilities
According to findings from mobile security firm iVerify, Cellik is a comprehensive Android malware that boasts a range of alarming features:
- Real-time screen capture and streaming of the victim’s device.
- Interception of app notifications.
- Access to the filesystem for file browsing and exfiltration.
- Data wiping capabilities.
- Secure communication with a command-and-control server via encrypted channels.
Source: iVerify
Additionally, Cellik includes a hidden browser mode that allows attackers to navigate websites using the victim’s stored cookies, further compromising their security. The malware’s app injection system enables the overlay of fake login screens or the insertion of malicious code into existing applications, facilitating the theft of user credentials.
One particularly concerning feature is the ability to inject payloads into installed apps, which complicates the detection of infections, as trusted applications can suddenly exhibit rogue behavior.
Source: iVerify
The standout aspect of Cellik is its integration with the Google Play Store, allowing cybercriminals to browse for apps, select their targets, and generate malicious variants. As explained by iVerify, “The seller claims Cellik can bypass Google Play security features by wrapping its payload in trusted apps, essentially disabling Play Protect detection.” This raises concerns about the effectiveness of automated reviews and device-level scanners, particularly when trojans are concealed within popular app packages.
In light of these developments, BleepingComputer has reached out to Google for clarification on whether apps bundled with Cellik can indeed evade Play Protect, though a response has not yet been provided. To safeguard against such threats, Android users are advised to refrain from sideloading APKs from untrustworthy sources, ensure that Play Protect is active on their devices, carefully review app permissions, and remain vigilant for any unusual activity.
