'Cellik' Android RAT Leverages Google Play Store

The emergence of Cellik highlights a broader shift toward "malware‑as‑a‑service" models that target mobile ecosystems. Unlike traditional Android threats that rely on zero‑day exploits, Cellik leverages a fully automated APK builder that downloads popular apps from Google Play, injects a covert payload, and repackages the file for distribution. By masquerading as trusted software, the RAT sidesteps many automated vetting processes, effectively turning the world’s most popular app marketplace into an inadvertent delivery vector for espionage tools.

For defenders, the significance lies in the lowered technical threshold required to launch a full‑featured mobile spying campaign. At a subscription cost comparable to a modest SaaS license, even low‑skill actors can acquire capabilities such as real‑time screen streaming, credential harvesting via overlay attacks, and encrypted exfiltration of files and browser data. This commoditization erodes the traditional advantage that sophisticated threat groups held, expanding the pool of potential attackers and increasing the likelihood of widespread infections, especially in environments where users sideload apps or ignore security prompts.

Mitigation strategies must evolve beyond reliance on Play Protect. Organizations should enforce strict app‑installation policies, employ mobile endpoint detection and response solutions, and educate users on the risks of sideloading. Verifying APK signatures, monitoring network traffic for anomalous C2 communications, and applying zero‑trust principles to mobile device management can further reduce exposure. As the market for mobile RAT‑as‑a‑service matures, continuous threat‑intel sharing and proactive security controls will be essential to safeguard the increasingly mobile‑first enterprise landscape.