Cellik
Cellik is an Android remote access trojan (RAT) and malware-as-a-service (MaaS) offering identified in late 2025 and advertised on underground forums and the dark web. It is described as a new Android malware family observed in the wild and is sold with subscription pricing starting at $150 per month and $900 for lifetime access. Security reporting attributes its discovery and analysis to iVerify.
Cellik is designed to give operators full control over infected Android devices and to turn legitimate-looking applications into surveillance tools. A defining feature is its built-in one-click APK builder with Google Play Store integration, which allows an operator to select legitimate apps and create trojanized versions that preserve the original app appearance and functionality while embedding the Cellik payload. Multiple reports describe this as enabling attackers to wrap the malware inside trusted Google Play apps and use those apps to evade detection and prolong infections. Some reporting states the seller claims it can bypass Google Play Protect, but that claim was not independently confirmed.
Its capabilities include real-time screen streaming, keylogging, remote camera and microphone access, notification interception including private messages and one-time passcodes, remote UI interaction through simulated taps and swipes, hidden web browsing, credential theft via overlays and fake login screens, form-data interception in the hidden browser, file browsing/upload/download, access to cloud storage linked to the device, data exfiltration, and data wiping. Additional reported features include an injection toolkit supporting multiple simultaneous app injections, location tracking, communications surveillance, cryptocurrency wallet theft, and access to data from other applications. Reporting also notes encrypted command-and-control communications.
Cellik is positioned as a user-friendly criminal platform accessible to operators with limited technical skill, reflecting the broader trend of sophisticated Android surveillance and credential-theft tooling being packaged as subscription services. It has been characterized as the 'Silent Hijacker' because it covertly converts legitimate Google Play apps into surveillance tools. High-confidence reporting links it to underground cybercrime distribution rather than a specific named threat actor. The malware targets Android devices and is relevant to mobile users broadly rather than a single industry vertical.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of 17 Android malware families detected in the wild over four months.
Tags:Android apk Cellik Kimwolf malware
Cellik is a newly identified Android Remote Access Trojan (RAT) that covertly transforms legitimate Google Play apps into surveillance tools, enabling attackers to monitor and control infected devices.
Android RAT with real-time screen streaming, keylogging, remote camera/mic access, data wiping, notification interception, and credential theft via app overlays. Features a one-click APK builder to bundle payloads with legitimate apps.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.