A New Android RAT With Play Store Integration

[lovesmayfamilis]

Cellik is a newly identified Android RAT that offers full device control and real-time surveillance, with Play Store integration that lets attackers bundle it into legitimate apps.

The attacker can remotely navigate to websites, click links, and fill out forms through this hidden browser, all without the phone’s owner seeing any activity on their screen. This feature streams screenshots back to the attacker in real time, essentially giving a live feed of any page the attacker visits.

Using the hidden browser, a cybercriminal could quietly log into websites using the victim’s saved cookies, or auto-fill credentials on phishing pages. Cellik can capture any form data submitted in the hidden browser, so if the victim is tricked into entering passwords or credit card info, the RAT will intercept those details.

https://iverify.io/blog/meet-cellik---a-new-android-rat-with-play-store-integration

Those who trust their Android phones with their information might find this article helpful, as it clearly explains how hackers, even those with limited knowledge, can gain full access to your device. The main danger of the new Cellik malware lies in its ability to disguise itself as legitimate apps from the Google Play Store. This malware is currently being actively sold on hacker websites, and customers who purchase it can choose any app from the Google Play Store and create a malicious copy of it, and the victim receives a fully functional app but with full control over their phone.

"Researchers write that Cellik's ability to steal credentials poses a particular threat. The malware is equipped with a system for injecting fake login screens that are overlaid on legitimate apps. When the user enters their username and password (thinking they are logging into a banking app, cryptocurrency app, or social network), the data is intercepted by hackers."

So every time you're about to save something important on your phone, consider that you might not be the only owner of that data.

[5W-KILO]

It seems like hackers are now working more on getting data from Android devices than PC, they are fully aware that people prefers to keep alot of stuff on android because it's easier to move around than carrying a bag of laptop everywhere you go, this days many android vulnerability keeps coming to light and it's getting scarier everyday.

I don't care about what others keep on their phones, the only thing I care about is how gullible investors are that they are still neglecting hardware wallets.

Hardware wallets are non-negotiable for serious amounts, yes they cost few hundreds, this is nothing compared to losing everything if your hot wallet gets compromised.

[noorman0]

-snip-
they are fully aware that people prefers to keep alot of stuff on android because it's easier to move around than carrying a bag of laptop everywhere you go,

This isn't actually a new type of malware, and the real reason isn't because users store a lot of data.

Android has many access and control restrictions, especially for monitoring performance, running apps, and hidden system files. If you don't have developer mode enabled, the situation is even worse. This type of attack is, of course, random, even if the phone doesn't contain any important data.

[Alpha Marine]

I read the article hoping to see if it would say how the malware gets into your phone, but they didn't say. It is through phishing links or downloading a malicious app. I am interested in knowing because if I understand how it can get on my phone, then I can be more cautious in that regard.

This means a cybercriminal can take a popular app (like a game or utility that targets are likely to install), insert Cellik’s code into it, and repackage it as an installer, all using Cellik’s built-in toolkit.

I also have a question about this. Pardon me if it sounds silly. Does this mean that anyone downloading the app from the Play Store will also be downloading the malware, or only the person with the infected device?

So every time you're about to save something important on your phone, consider that you might not be the only owner of that data.

With this, you don't even need to save it on your phone to be exposed because the article says " an attacker can watch the victim’s screen live with minimal lag and simulate taps or swipes as if holding the device."
They can basically see everything you write as you write it, so even if you don't save it on your phone, you're not safe if the malware is already in your device.

[promise444c5]

I read the article hoping to see if it would say how the malware gets into your phone, but they didn't say. It is through phishing links or downloading a malicious app. I am interested in knowing because if I understand how it can get on my phone, then I can be more cautious in that regard.

No, but if the malware is already present, the attacker can identify targets from apps already installed from Google Play or browse Google Play for popular apps… The apps are then repackaged and shared or sent to you through social engineering or other means. You would have to install it manually for it to replace the already installed legitimate app, not directly through Google. It appears and need  to bypass Play Protect because the legitimate app also exists on Google Play, which makes users trust it as legitimate (with the bypass)..

Unless there is a complete system hijack(which am not sure ), they cannot replace apps on your device without permission. Otherwise, you have to do it yourself.

[SamReomo]

Android isn't safe neither IOS is safe, the safest operating system is always the one with open source packaging. In my opinion, those who're using Ubuntu Touch, which's not available for most phones, are the ones who're safe from most RAT's and malware. I'm not sure if anyone knows about it but I believe the ones with a phone like Redmi Note 9 Pro can install Ubuntu touch, and that might be a good selection when it comes to security and safety of ones device.

[joniboini]

Android isn't safe neither IOS is safe, the safest operating system is always the one with open source packaging. In my opinion, those who're using Ubuntu Touch, which's not available for most phones, are the ones who're safe from most RAT's and malware.

How are they safe from malware? What are the key differences?

Speaking of open sources, I believe Android itself is open source. Only the Google services aren't (it's for the manufacturer to think about). The problem usually arises when manufacturers lock the bootloader or a similar feature. I remember flashing a custom ROM for my Xiaomi phones in the past, using TWRP to install superuser and so on. CMIIW.

[DYING_S0UL]

Android isn't safe neither IOS is safe, the safest operating system is always the one with open source packaging. In my opinion, those who're using Ubuntu Touch, which's not available for most phones, are the ones who're safe from most RAT's and malware.

How are they safe from malware? What are the key differences?

Speaking of open sources, I believe Android itself is open source. Only the Google services aren't (it's for the manufacturer to think about). The problem usually arises when manufacturers lock the bootloader or a similar feature. I remember flashing a custom ROM for my Xiaomi phones in the past, using TWRP to install superuser and so on. CMIIW.

Sorry I don't understand how problem arises from bootloader being locked? Can you explain? Locked bootloader means less doors to exploit, cmiiw.

Anyway, whether it's Android, iOS or Custom Roms, I believe every platform has it's drawbacks, advantages disadvantages. If we specifically talk about this Cellik RAT, it seems iOS is on the most safer side, while Android is being targatted here (this is what I understood from reading the blog from OP). ios being closed source, it's hard to penetrate but not impossible, Android on the other side being exploited in every other way possible, and when you add custom roms into it, it's like opening every doors, the ways are limitless. As a custom rom user myyself, I know this much.

Things are not how it used to be. So we have to carefully choose the platforms, as well as the developers who made these roms. Nowadays, u don't need to seperately flash magisk (useruser) anymore. It now comes with kernel level root implimentation which is known as kernelSU/ksu. You just need to flash a ROM shipped with Ksu, and you have root. But be careful, not to trust any unknown devs, because they can potentially slip these RATS, or any other malicious codes, if they had the ill intent.

[joniboini]

Sorry I don't understand how problem arises from bootloader being locked? Can you explain? Locked bootloader means less doors to exploit, cmiiw.

I wasn't referring to that, more like you can't customize a lot of things if your phone comes with a terrible OS. I guess my wording makes it unclear. For example, some manufacturers include ads on their OS, so you get bombarded with ads here and there. If you want to flash a newer or custom OS (including vanilla one with a higher version), you'll have to unlock the kernel, etc. Some of them don't support that. At least that's how it is when I'm still active on flashing custom ROM on my phones regularly.

[pliego]

Sorry I don't understand how problem arises from bootloader being locked? Can you explain? Locked bootloader means less doors to exploit, cmiiw.

I wasn't referring to that, more like you can't customize a lot of things if your phone comes with a terrible OS. I guess my wording makes it unclear. For example, some manufacturers include ads on their OS, so you get bombarded with ads here and there. If you want to flash a newer or custom OS (including vanilla one with a higher version), you'll have to unlock the kernel, etc. Some of them don't support that. At least that's how it is when I'm still active on flashing custom ROM on my phones regularly.

custom roms are basically dead for most new phones now unfortunately

[DYING_S0UL]

Sorry I don't understand how problem arises from bootloader being locked? Can you explain? Locked bootloader means less doors to exploit, cmiiw.

I wasn't referring to that, more like you can't customize a lot of things if your phone comes with a terrible OS. I guess my wording makes it unclear. For example, some manufacturers include ads on their OS, so you get bombarded with ads here and there. If you want to flash a newer or custom OS (including vanilla one with a higher version), you'll have to unlock the kernel, etc. Some of them don't support that. At least that's how it is when I'm still active on flashing custom ROM on my phones regularly.

In that case, I totally got what you meant. I got bored with my same old UI and the more I updated it the more downgraded the performance went. So I took the first daring step, unlocked the bootloader with Mi flash tool, sideloaded OrangeFox, and a custom rom, and before I knew it, I became a custom rom user. After that I never looked back, kept flashing custom roms every couple of days, tested different builds for the devs, and so on. So far I have tested over 50-100 roms, lost counting and none disappointed me, still using one. There was even one time, I installed Kali Nethunter, Lol.

As for this topic, IMO, a rom of vanila build would be the best to avoid such malwares. Because as you know, vanila build is of google free, so no play store integration, so less ways to get infected, not to mention it comes with latest security patch as well as Android version. The only problem regular users can't install it, and prefers the regular bloated OS which is being targatted now.

One thing that still surprises me and is beyond my understanding, how such small thing as RATs is able to accomplish such big tasks. It scares me. Just look at the blog, this Rat can do everything, from screen sharing to, tracking location, IPs, stealing credentials, hidden browsers, injection, and everything in the background, absolute control. The user wouldn't even notice a thing as I understood.

custom roms are basically dead for most new phones now unfortunately

No developer, no rom. And new phone doesn't need one anyway.

[libert19]

As I understand, scammers will still have to make people install infected app, so despite all it's capabilities people will still have to be deceived to install infected app.

Plus, I am sure Google will look after it.

...

Hardware wallets are non-negotiable for serious amounts, yes they cost few hundreds, this is nothing compared to losing everything if your hot wallet gets compromised.

Trezor safe 3 which is quality hw costs mere 55 usd.

I read the article hoping to see if it would say how the malware gets into your phone, but they didn't say. It is through phishing links or downloading a malicious app. I am interested in knowing because if I understand how it can get on my phone, then I can be more cautious in that regard.

You have to download an infected app (whatever the source may be).

... So far I have tested over 50-100 roms...

If you'd say 50-60, that'd make more sense, 50-100 difference is steep.

As for this topic, IMO, a rom of vanila build would be the best to avoid such malwares. Because as you know, vanila build is of google free, so no play store integration, so less ways to get infected, not to mention it comes with latest security patch as well as Android version.

What's problem with Google or play store integration? Sure, they may not be privacy friendly, but don't think they make you more prone to viruses. If you don't use play store, you'll have to use third party app stores which IMO would be worse than using play store.

[DYING_S0UL]

As for this topic, IMO, a rom of vanila build would be the best to avoid such malwares. Because as you know, vanila build is of google free, so no play store integration, so less ways to get infected, not to mention it comes with latest security patch as well as Android version.

What's problem with Google or play store integration? Sure, they may not be privacy friendly, but don't think they make you more prone to viruses. If you don't use play store, you'll have to use third party app stores which IMO would be worse than using play store.

This comment was specifically meant for this Cellik RAT only, not universal. This one has a Play store integration feature, that lets the malicious app bundle with legitimate apps. Read the full article OP provided, you'll understand what I meant. 

The cool thing about vanila build is you get to choose what you want, not what they provide. It doesn't even comes with a camera app. So you can be very selective on what you install. Updating apps might be a hassle, but as long as you stick to the official sources, they shouldn't pose any issue. That's what I think. Furthermore we can use Fdroid (https://f-droid.org/) as an alternative for play store. Surely it doesn't have all the apps, but it has what I need.

Cellik is a newly identified Android RAT that offers full device control and real-time surveillance, with Play Store integration that lets attackers bundle it into legitimate apps.

... So far I have tested over 50-100 roms...

If you'd say 50-60, that'd make more sense, 50-100 difference is steep.

But you just cut the next part, lol. I did say, lost counting. 
Anyway the point is, I have probably tested all the available roms (many) that I found from the trusted sources, all variations, starting from Android 10 to 16, KSU or without KSU, Official/Unofficial, DynamicPartition/Non DynamicPartition, basically everything until I no longer had the time anymore. 

[libert19]

As for this topic, IMO, a rom of vanila build would be the best to avoid such malwares. Because as you know, vanila build is of google free, so no play store integration, so less ways to get infected, not to mention it comes with latest security patch as well as Android version.

What's problem with Google or play store integration? Sure, they may not be privacy friendly, but don't think they make you more prone to viruses. If you don't use play store, you'll have to use third party app stores which IMO would be worse than using play store.

This comment was specifically meant for this Cellik RAT only, not universal. This one has a Play store integration feature, that lets the malicious app bundle with legitimate apps. Read the full article OP provided, you'll understand what I meant. 

Yes I did read it (quoted specific part below), and as far as I understand, that play store integration feature makes it easy for attacker to infect apps available on play store — do note original apps remain unaffected and attacker will have to upload this 'new' malicious app on play store, fdroid or elsewhere. So, what difference does avoiding play store will make in this case?

One of Cellik’s most problematic features is its integration with Google Play and an automated APK builder for malware distribution. Through its control interface, an attacker can browse the entire Google Play Store catalogue and select legitimate apps to bundle with the Cellik payload. With one click, Cellik will generate a new malicious APK that wraps the RAT inside the chosen legitimate app.

[YellowSwap]

Sorry I don't understand how problem arises from bootloader being locked? Can you explain? Locked bootloader means less doors to exploit, cmiiw.

I wasn't referring to that, more like you can't customize a lot of things if your phone comes with a terrible OS. I guess my wording makes it unclear. For example, some manufacturers include ads on their OS, so you get bombarded with ads here and there. If you want to flash a newer or custom OS (including vanilla one with a higher version), you'll have to unlock the kernel, etc. Some of them don't support that. At least that's how it is when I'm still active on flashing custom ROM on my phones regularly.

custom roms are basically dead for most new phones now unfortunately

A unlocked bootloader makes your phone more vulnerable, you will be able to run roms and do the tweakings to your taste but you are not far away from malware yourself, every apps is installable on a custom ROM, it's like they have a separate Playstore than the regular Playstore that we know, factory OS are always safer but they come with lots of useless apps and bloatware.

Still I prefer to use my phone with factory OS than installing a custom ROM, I am not entirely new to flashing ROMs too, I know Cyanogen mod ROMs and few others, I have played with them using HTC phones and also Samsung phones.

[Forsyth Jones]

In short, this RAT does everything, anyone infected could suffer significant financial losses and have their data leaked extremely easily.

That's why it's extremely important to check the App's source, as well as check the official website to avoid downloading malware.

The ability to inject fake login screens, especially in login forms or those requiring sensitive data, is truly frightening.

It's worth remembering that new malware and RATs are already using AI to rewrite and adapt their own code to avoid detection by users and heuristic analysis tools. Learning to mutate, mask themselves, and adapt in real time, as well as improve themselves, they can change their behavior during an attack, evade detection tools, and generate entirely new signatures faster than analysts can identify them.

Google discovered two malware families: PROMPTFLUX and QUIETVAULT, as well as others reported in news articles like this one:
https://thehackernews.com/2025/11/google-uncovers-promptflux-malware-that.html

[Patikno]

So every time you're about to save something important on your phone, consider that you might not be the only owner of that data.

I don't know, if I am paranoid, or overly skeptical about the devices I own, but I often feel the way you describe. I often feel that some of the devices I frequently use online might have been compromised, and maybe someone might be monitoring me. So, I often differentiate between the various wallets I use, and they all use the same device, which means that if a hack occurs, I can tell which device was compromised. Furthermore, I also differentiate between the wallets I use for storage (especially for large amounts of data), and I keep them secure, which means I try to keep them offline. If I do use them, I make sure I'm using a secure device.

Luckily, I haven't had any problems so far, and I hope that stays the same. I think a skeptical mindset is necessary to avoid major problems. Imagine if we weren't skeptical about our devices, but if something bad happened, we could potentially lose a lot, including our finances. I don't mean to scare anyone, and I don't mean to wish it to happen, but isn't it possible that it could happen to us? I think we need to be skeptical about anything, there is no harm in thinking about all the possibilities of vulnerabilities that might occur, whether we do it accidentally or not.

In this increasingly sophisticated cyber world, we never know what kind of attacks might happen to us. Attacks can happen without our authorization, right? So, I think we need to protect ourselves well, and try to avoid storing important data online, and try to encrypt any data you want to store securely.

[NINI2501]

being paranoid is just the default setting you need if you want to keep your btc safe these days, especially with this new cellik rat that can basically mirror your screen and intercept otp codes in real time, i do the same thing with separate devices for my hot wallets and my long term storage but even then i wonder if my home network is actually secure, it only takes one bad apk to ruin years of stacking so stay skeptical my friend

[libert19]

... factory OS are always safer but they come with lots of useless apps and bloatware.

I buy stock android phones and they come with no or few bloatwares, you can also use debloater tools to uninstall OEM installed apps, but I haven't ever used one to recommend any specific.

[Ndabagi01]

Android isn't safe neither IOS is safe, the safest operating system is always the one with open source packaging. In my opinion, those who're using Ubuntu Touch, which's not available for most phones, are the ones who're safe from most RAT's and malware. I'm not sure if anyone knows about it but I believe the ones with a phone like Redmi Note 9 Pro can install Ubuntu touch, and that might be a good selection when it comes to security and safety of ones device.

It has been a while I have made use of an android device but I know for sure that the security of iOS devices is more than that of the android devices. With that being said, I have not heard of the Ubuntu Touch, but is there is such application on android devices that help against malware’s like RAT, it will really go a long way to help victims not falling for this fraudulent apps.

The feature of this RAT malware app pose a very dangerous features that when it gets into your device, all of your important informations will be gone. I just hope that as fraudsters are upgrading their scam techniques methods, there should always be a counter attack safety security measure to safely counter those attacks on our devices.