A new Android malware-as-a-service (MaaS) named Cellik is being advertised on underground cybercrime forums offering a robust set of capabilities that include the option to embed it in any app available on the Google Play Store.
Specifically, attackers can select apps from Android's official app store and create trojanized versions that appear trustworthy and keep the real app's interface and functionality.
By providing the expected capabilities, Cellik infections can go unnoticed for a longer time. Additionally, the seller claims that bundling the malware this way may help bypass Play Protect, although this is unconfirmed.
Mobile security firm iVerify discovered Cellik on underground forums where it is offered for $150/month or $900 for lifetime access.
Cellik capabilities
Cellik is a fully-fledged Android malware that can capture and stream the victim's screen in real time, intercept app notifications, browse the filesystem, exfiltrate files, wipe data, and communicate with the command-and-control server via an encrypted channel.
Live feed of the victim's screen
Source: iVerify
The malware also features a hidden browser mode that attackers can use to access websites from the infected device using the victim's stored cookies.
An app injection system allows attackers to overlay fake login screens or inject malicious code into any app to steal the victim's account credentials.
... continue reading