Cellik Android Malware Builds Malicious Versions From Google Play Apps

A new Android malware-as-a-service (MaaS) named Cellik is being advertised on underground cybercrime forums offering a robust set of capabilities that include the option to embed it in any app available on the Google Play Store.

Specifically, attackers can select apps from Android's official app store and create trojanized versions that appear trustworthy and keep the real app's interface and functionality.

By providing the expected capabilities, Cellik infections can go unnoticed for a longer time. Additionally, the seller claims that bundling the malware this way may help bypass Play Protect, although this is unconfirmed.

Mobile security firm iVerify discovered Cellik on underground forums where it is offered for $150/month or $900 for lifetime access.

Cellik is a fully-fledged Android malware that can capture and stream the victim's screen in real time, intercept app notifications, browse the filesystem, exfiltrate files, wipe data, and communicate with the command-and-control server via an encrypted channel.

An app injection system allows attackers to overlay fake login screens or inject malicious code into any app to steal the victim's account credentials.

The listed capabilities also include the option to inject payloads onto installed apps, which would make pinpointing the infection even more difficult, as long-trusted apps suddenly turn rogue.

The highlight, though, is the Play Store integration into Cellik's APK builder, which allows cybercriminals to browse the store for apps, select the ones they want, and create a malicious variant of them.

"The seller claims Cellik can bypass Google Play security features by wrapping its payload in trusted apps, essentially disabling Play Protect detection," explains iVerify.

"While Google Play Protect typically flags unknown or malicious apps, trojans hidden inside popular app packages might slip past automated reviews or device-level scanners."

Source: BleepingComputer