A new Android Trojan can hide inside apps you trust — and this is how it gets to you

There's a new remote access Trojan (RAT) that takes advantage of the Google Play Store and actually builds malicious versions of various Android apps. 

New remote access Trojan can bundle itself with legit apps 

Cellik is a part of a category dubbed "x-as-a-service". Cybercriminals can pay for versions of everything, including credential stealers, ransomware, phishing kits, and other malware. Cellik is a sort of "mature" malware that even hackers with low skills can use with minimal effort.  

The malware also has a keylogger feature. But that's not all: it can help the attacker see your notifications on your screen, one-time passcodes, and the phone's file system. And yep, that includes sensitive browser data like cookies and even credentials you've saved in the browser. 

iVerify underlines that with that malware, the malicious user can see all your files, download or upload files, delete some, and even access cloud storage that's been linked to the phone. The attacker can also go to websites, click links, and fill out forms. And all of this – the victim won't be seeing any activity on their screen. 

These features aren't new. However, what makes Cellik dangerous is the ability it gives the attacker to display an overlay over apps on the compromised phone (fake login screens, for example). Also, it has an injector builder – it can be customized for different apps. 

The RAT-as-a-service has an automatic .apk builder that can browse the Play Store, download a legit app, put Cellik around it, and package it up so the attacker can distribute it to potential victims. 

This way, Cellik can bypass the security features (like Play Protect detection) of the Play Store. Basically, Google Play Protect can flag unknown or malicious apps, but a Trojan hidden in a popular app package may slip through. 

How to protect yourself

The best practice here is to stay up to date with social engineering tactics and be careful about where you download your apps. Basically, to minimize your exposure to malware, stick to official app stores. Don't sideload unless absolutely necessary. If you do sideload, install APKs manually, and verify hashes and signatures before doing it.

Having a solution that detects and responds to malware on your phone can also help. 

This is why I don't mess with sideloading apps

I'll be honest, stuff like Cellik is exactly why I stick to the Google Play Store and never sideload apps on my phone. Sure, the Play Store isn't perfect and sometimes sketchy apps slip through, but at least there's some level of checking going on.

When you start downloading APK files from random websites or third-party app stores, you're basically rolling the dice with your personal data. The idea that hackers can now wrap malware around legitimate apps and make them look totally normal is genuinely scary.

The worst part about Cellik is how easy it is for attackers to use. You don't need to be some genius hacker anymore – you can just pay for this service and boom, you've got a malicious app ready to go. 

My advice? Be super careful about where you get your apps from. If something seems too good to be true, like a paid app suddenly available for free on some random website, just skip it. It's not worth risking your bank account, passwords, and everything else on your phone. 

And if you absolutely have to sideload something, make sure you know exactly what you're installing and where it came from. Better safe than sorry.