According to Dark Reading, security researcher Daniel Kelley of iVerify has detailed a new Android remote access Trojan (RAT) called “Cellik” that’s being sold as a service. The malware gives attackers complete control over a victim’s device, including screen streaming, keylogging, and file system access. What makes it notable is its integration with the Google Play Store; its service includes an automated tool that can download legitimate apps from the store, wrap them with the Cellik payload, and repackage them for distribution. The RAT is offered on a subscription model, costing between $150 for a month and $900 for a lifetime license. Attackers typically distribute the poisoned apps through sideloading, relying on social engineering rather than technical exploits.
RAT-as-a-Service is the Real Threat
Here’s the thing: Cellik itself, while nasty, isn’t some revolutionary piece of malware tech. Its features—remote control, file access, keylogging—are pretty standard for a high-end RAT. The innovation, and the real danger, is in the business model. It’s another entry in the booming “as-a-service” economy for cybercrime. Basically, you don’t need to be a skilled coder anymore. You just need a credit card and a target. For a few hundred bucks, you get a turnkey spyware operation with a slick builder tool that does the heavy lifting of creating a convincing malicious app. This drastically lowers the barrier to entry and scales the threat. Now, even low-skilled attackers can run sophisticated mobile surveillance campaigns. That’s a scary shift.
Why the Play Store Angle Matters
So why is the Play Store integration such a big deal? It’s not that Cellik is *in* the Play Store—Google‘s automated protections would hopefully catch it there. The clever, and insidious, part is that it uses the store as its own personal library of trusted software. The attacker uses Cellik’s tool to browse for a popular, legitimate app, download it, and then essentially hollow it out and fill it with malware. The final poisoned app looks and, initially, behaves like the real thing. This wrapper technique is designed to bypass security scans like Google Play Protect, which might see a known, trusted app package and let it through. The distribution then happens off-store, via phishing links or shady third-party sites, where users are tricked into sideloading it. The user thinks they’re getting “App X,” but they’re actually installing a backdoor. It’s a potent abuse of trust.
What Can You Do About It?
The defense against this isn’t really about finding a magic-bullet antivirus. It’s back to security fundamentals. Kelley’s advice is the golden rule: stick to official app stores and avoid sideloading APKs unless it’s absolutely unavoidable. And if you must sideload, verify where it’s from. Think about it—why would a major app like a bank or social media platform *only* be available as a direct download from some random website? It wouldn’t. That immediate skepticism is your best defense. For businesses, an endpoint detection and response (EDR) solution on mobile devices can help flag suspicious behavior during installation. But for the average person? It’s about vigilance. The threat isn’t a complex exploit; it’s just tricking you into installing the wrong thing. That’s a problem technology alone can’t fully solve.
