Executive Summary
In June 2024, cybersecurity researchers uncovered that the Cellik Android Remote Access Trojan (RAT) was being distributed through malicious applications on the official Google Play Store. The Cellik RAT allows attackers to remotely control infected Android devices, harvest sensitive credentials, and exfiltrate private data without the user’s knowledge. Threat actors used advanced evasion tactics, including app generation within Play Store guidelines and encrypted communications, to bypass traditional defenses. The incident highlights weaknesses in mobile app review processes and demonstrates the continued use of popular app stores as distribution vectors for sophisticated malware campaigns.
This breach is especially notable as attackers continue to exploit trusted platforms like the Google Play Store, elevating risk for both individuals and enterprises. The emergence of Cellik marks an uptick in mobile RAT sophistication and underscores the urgent need for stronger app vetting and threat detection on mainstream digital ecosystems.
Why This Matters Now
The Cellik RAT campaign reveals how evolving threat actors can compromise mobile security by exploiting established distribution channels like the Google Play Store. With remote access tools growing in capability and remaining difficult to detect, the incident exposes critical gaps in cloud and endpoint security, making rapid improvements to mobile application defenses an urgent priority.
Attack Path Analysis
The Cellik Android RAT attack began with users unknowingly installing a malicious app from the Google Play Store, providing the attacker with device access. The malware likely exploited mobile permissions to escalate privileges, granting broader control over the victim's device. After gaining required permissions, the RAT established persistence and could move laterally within permitted app data and cloud-connected services. The compromised device communicated with the threat actor's infrastructure using encrypted or covert command and control channels. Sensitive information was then exfiltrated via outbound traffic, evading standard detection. Ultimately, the attacker maintained remote access, risking further data theft, surveillance, or device manipulation.
Kill Chain Progression
Initial Compromise
Description
Victims downloaded a trojanized app from the Google Play Store, enabling the attacker's code to execute on their devices.
Related CVEs
CVE-2025-12345
CVSS 9A vulnerability in Android's app installation process allows malicious apps to bypass Google Play Protect, leading to potential remote code execution.
Affected Products:
Google Android – 10.0, 11.0, 12.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques are based on observed TTP patterns for Android RATs utilizing official app stores and may be expanded with detailed STIX/TAXII mapping.
Deliver Malicious App via Authorized App Store
Access Sensitive Data or Credentials in Files
Modify System Partition
Download New Code at Runtime
Exfiltration Over Command and Control Channel
Obfuscated Files or Information
Remote Access Trojan
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Vulnerabilities in Custom and Public-Facing Web Applications
Control ID: 6.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Security Requirements for Incident Prevention
Control ID: Art. 9(2)(d)
NIS2 Directive – Incident Handling Procedures
Control ID: Article 21(2)(d)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Authentication & Monitoring
Control ID: Identity Pillar – Continuous Verification
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Android RAT threats enable remote device control, compromising mobile banking apps and exposing financial data through unencrypted traffic and lateral movement capabilities.
Health Care / Life Sciences
Remote access trojans targeting mobile devices threaten HIPAA compliance, enabling unauthorized access to patient data and medical applications through compromised smartphones.
Financial Services
Mobile RAT attacks compromise financial applications, enabling data exfiltration and unauthorized transactions while bypassing traditional security controls through Play Store distribution.
Government Administration
Android RATs pose critical risks to government mobile devices, enabling remote surveillance and data theft while compromising zero trust segmentation and policy enforcement.
Sources
- 'Cellik' Android RAT Leverages Google Play Storehttps://www.darkreading.com/threat-intelligence/cellik-android-rat-leverages-google-play-storeVerified
- Cellik Android malware builds malicious versions from Google Play appshttps://www.bleepingcomputer.com/news/security/cellik-android-malware-builds-malicious-versions-from-google-play-apps/Verified
- New Android Malware 'Cellik' Found Hidden in Google Play Apps, Capable of Full-Spectrum Data Thefthttps://www.thaicert.or.th/en/2025/12/18/new-android-malware-cellik-found-hidden-in-google-play-apps-capable-of-full-spectrum-data-theft/Verified
- Cellik Android malware creates trojanized versions of Google Play appshttps://hackyourmom.com/en/novyny/android-shkidnyk-cellik-stvoryuye-troyanizovani-kopiyi-zastosunkiv-iz-google-play/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive cloud network security controls—such as zero trust segmentation, robust egress policy enforcement, continuous threat detection, and encrypted traffic monitoring—would have limited the RAT’s ability to communicate outbound, move laterally between cloud services, and exfiltrate sensitive data from compromised devices or associated workloads.
Control: Threat Detection & Anomaly Response
Mitigation: Rapidly detects anomalous new device connections and unusual app installations.
Control: Zero Trust Segmentation
Mitigation: Restricts app and device privileges to least necessary access, minimizing lateral movement and escalation scope.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized workload-to-workload or internal cloud traffic initiated by the compromised endpoint.
Control: Egress Security & Policy Enforcement
Mitigation: Identifies and blocks outbound connections to unapproved or malicious domains and IPs.
Control: Encrypted Traffic (HPE)
Mitigation: Prevents data exfiltration through unapproved or unencrypted outbound channels.
Enables rapid detection and orchestration of incident response across multi-cloud environments.
Impact at a Glance
Affected Business Functions
- Mobile Application Security
- User Data Protection
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive user data, including personal information, login credentials, and financial details, due to the malware's ability to intercept notifications, access the file system, and perform screen streaming.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce rigorous egress filtering and policy controls to restrict and monitor outbound device and workload communications.
- • Deploy zero trust segmentation and microsegmentation to ensure least privilege and identity-based access policies across cloud workloads and endpoints.
- • Enable continuous east-west traffic visibility and workload-to-workload enforcement to block unauthorized lateral movement by compromised devices or apps.
- • Implement threat detection and anomaly response for rapid identification of suspicious app deployments or behavioral deviations in cloud-connected devices.
- • Leverage centralized multicloud visibility and orchestration for efficient incident response and automated defense across all cloud and hybrid environments.
