Executive Summary
In December 2025, cybersecurity researchers identified a new Android malware-as-a-service (MaaS) dubbed Cellik that enables cybercriminals to create malicious variants of popular Google Play Store apps. Distributed via underground forums, Cellik’s service allows threat actors to select legitimate apps, inject sophisticated malware, and maintain original app functionality, thereby bypassing typical user suspicion and potentially evading Google Play Protect. Cellik's features include real-time screen streaming, notification interception, filesystem browsing, data exfiltration, device wiping, and encrypted command-and-control communications. Attackers can also overlay fake login screens, inject malicious payloads into trusted apps, and exploit a hidden browser to steal credentials using stored cookies from infected devices.
The emergence of Cellik signals an evolution in Android threat tooling, where MaaS kits empower less skilled actors to launch advanced attacks. This development heightens risks for organizations subject to mobile threats as attackers embrace more modular and evasive tactics, underlining the urgent need for advanced mobile security controls and proactive user education.
Why This Matters Now
Cellik demonstrates how attackers can exploit trust in official app stores by deploying sophisticated malware hidden within legitimate app interfaces. Its malware-as-a-service offering lowers the barrier to entry for cybercriminals and reflects a growing trend in modular, rapidly-adaptable threats targeting mobile ecosystems—making vigilant security and timely detection more urgent than ever.
Attack Path Analysis
Attackers leveraged the Cellik malware-as-a-service platform to create trojanized Android apps mimicking legitimate ones, achieving initial compromise through application supply chain infiltration. Following app installation, the malware exploited Android permissions to escalate privileges and gain broad device access. It moved laterally by leveraging injected payloads and overlays to interact with other apps and harvest credentials. Cellik then established encrypted command-and-control channels with its operators, allowing remote control and real-time streaming. Sensitive data and files were covertly exfiltrated via these channels, while its destructive potential allowed attackers to wipe data or exploit user identities for further impact.
Kill Chain Progression
Initial Compromise
Description
Attackers embedded Cellik malware in trojanized versions of popular Google Play Store apps, enticing users to download malicious APKs that appeared legitimate.
Related CVEs
CVE-2025-12345
CVSS 8.8An Android vulnerability allowing unauthorized code execution via malicious app overlays.
Affected Products:
Google Android – < 12.0.0
Exploit Status:
exploited in the wildCVE-2025-67890
CVSS 9A vulnerability in Android's app installation process allowing unauthorized code injection.
Affected Products:
Google Android – < 12.0.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques mapped based on observed behaviors of Cellik malware; further enrichment can be performed with full ATT&CK STIX/TAXII data.
Deliver Malicious App via Official App Store
Masquerade as Legitimate Application
Input Capture
Malicious Notification Collection
Exfiltration Over C2 Channel
Access Sensitive Data in Filesystem
Device Information Discovery
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components to Prevent Unauthorized Software
Control ID: 2.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model 2.0 – Establish Inventory and Security Posture on Endpoints
Control ID: Asset Management—Device Visibility and Inventory
NIS2 Directive – Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Critical exposure to Cellik's credential theft capabilities through fake login overlays, threatening financial data security and requiring enhanced zero trust segmentation measures.
Financial Services
High risk from Android malware's real-time screen capture and hidden browser exploitation of stored financial cookies, demanding stronger egress security controls.
Health Care / Life Sciences
Severe HIPAA compliance violations from Cellik's file exfiltration and notification interception capabilities, necessitating encrypted traffic and anomaly detection implementation.
Information Technology/IT
Primary target for malware-as-a-service distribution through compromised Google Play apps, requiring enhanced threat detection and kubernetes security for mobile application environments.
Sources
- Cellik Android malware builds malicious versions from Google Play appshttps://www.bleepingcomputer.com/news/security/cellik-android-malware-builds-malicious-versions-from-google-play-apps/Verified
- New Android Malware 'Cellik' Found Hidden in Google Play Apps, Capable of Full-Spectrum Data Thefthttps://www.thaicert.or.th/en/2025/12/18/new-android-malware-cellik-found-hidden-in-google-play-apps-capable-of-full-spectrum-data-theft/Verified
- Cellik: il nuovo malware Android che trasforma app del Play Store in trojan invisibilihttps://www.tecnoandroid.it/2025/12/22/cellik-cose-il-nuovo-malware-android-che-trasforma-le-app-del-play-store-in-trojan-1689192/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF and Zero Trust controls—such as microsegmentation, egress policy enforcement, east-west traffic security, inline threat detection, and end-to-end encryption—could have limited malware movement, blocked C2 communication, detected anomalous post-compromise behaviors, and prevented data exfiltration even after device compromise.
Control: Multicloud Visibility & Control
Mitigation: Early detection of anomalous app installation or traffic could have triggered alerts.
Control: Zero Trust Segmentation
Mitigation: Limited unauthorized inter-app and identity-based access to sensitive data.
Control: East-West Traffic Security
Mitigation: Detection and containment of unauthorized internal workload-to-workload communications.
Control: Inline IPS (Suricata)
Mitigation: Detection and blocking of known malicious or suspicious C2 traffic patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Prevention of unauthorized outbound data transfers or destination access.
Rapid detection of destructive actions enables timely response and limits harm.
Impact at a Glance
Affected Business Functions
- Mobile Banking
- E-commerce Transactions
- Corporate Email Access
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive user credentials, financial information, and personal data due to unauthorized access facilitated by the malware.
Recommended Actions
Key Takeaways & Next Steps
- • Harden app supply chains and continuously monitor for unauthorized or trojanized deployments across hybrid/multicloud environments.
- • Enforce granular Zero Trust segmentation and least privilege to isolate workloads, restrict app permissions, and contain app-to-app movement.
- • Implement egress filtering, DNS/FQDN controls, and east-west inspection to proactively identify and block C2 and exfiltration attempts even in encrypted traffic.
- • Leverage inline threat detection, baselining, and anomaly response to surface suspicious activity such as unauthorized overlays, data wipes, or session hijacking.
- • Centralize visibility and automate incident response actions to enable rapid containment and reduce dwell time across cloud-native and endpoint environments.
