A newly identified Android remote access trojan (RAT) known as Cellik is raising concern among mobile security researchers due to its unusually broad surveillance capabilities and built-in tooling that simplifies malware distribution.

According to iVerify, Cellik offers attackers near-total control over infected Android devices and includes a one-click APK builder that allows malicious payloads to be embedded into legitimate applications.

The combination of advanced spyware features, ease of deployment, and low pricing signals a growing commoditization of mobile espionage tools, expanding access beyond sophisticated threat actors.

Android malware has increasingly shifted from basic credential theft toward full device surveillance, mirroring capabilities once limited to nation-state spyware.

At the same time, underground marketplaces continue to professionalize, offering subscription-based malware with customer support, dashboards, and automated builders.

Cellik sits squarely at the intersection of these trends, packaging advanced capabilities into a product accessible to relatively low-skill attackers.

Mobile security firm iVerify uncovered Cellik during threat monitoring activities, identifying it as a fully featured Android RAT sold on underground forums.

The malware is advertised with real-time surveillance features, remote UI control, and application injection capabilities. Most notably, Cellik includes tooling that allows attackers to bundle the RAT into popular legitimate apps with a single click.

Cellik is currently offered as a subscription service, with monthly, short-term, and lifetime pricing tiers, making it accessible to a wide range of criminal actors.

Once installed, Cellik grants attackers extensive control over the victim device, including:

A standout feature is its hidden browser module, which operates invisibly while streaming screenshots to the attacker. This allows adversaries to hijack authenticated sessions using stored cookies or capture credentials entered into forms without the victim’s awareness.

Cellik also supports overlay attacks, displaying fake login screens on top of legitimate apps. Its built-in injection framework allows attackers to create and deploy custom overlays across multiple applications simultaneously.

The integrated APK builder and Google Play catalog access significantly lower the technical barrier for malware distribution.

Cellik’s design enables credential theft, financial fraud, account takeovers, and long-term surveillance.

Because it can be bundled into trusted applications, victims may install the malware unknowingly, bypassing traditional user suspicion. The hidden browser and overlay techniques further increase the likelihood of successful credential capture.

Organizations with bring-your-own-device (BYOD) policies are particularly exposed if compromised devices are used to access corporate resources.

Cellik demonstrates how advanced mobile spyware is becoming increasingly affordable and automated.

Capabilities once associated with high-end surveillance tools are now available for less than the cost of a consumer subscription service. This lowers the threshold for cybercrime and increases the scale at which mobile users can be targeted.

The trend underscores the need for stronger mobile threat detection, application vetting, and user education.

iVerify notes that Cellik’s combination of Play Store integration and broad surveillance functionality is unusual at its price point.

The inclusion of AI-assisted behavior analysis and crypto-wallet theft features highlights a shift toward more data-driven, monetization-focused mobile malware operations.