A new Android malware-as-a-service (MaaS) named Cellik is being advertised on underground cybercrime forums offering a robust set of capabilities that include the option to embed it in any app available on the Google Play Store.

Specifically, attackers can select apps from Android's official app store and create trojanized versions that appear trustworthy and keep the real app's interface and functionality.

By providing the expected capabilities, Cellik infections can go unnoticed for a longer time. Additionally, the seller claims that bundling the malware this way may help bypass Play Protect, although this is unconfirmed.

Mobile security firm iVerify discovered Cellik on underground forums where it is offered for $150/month or $900 for lifetime access.

Cellik capabilities

Cellik is a fully-fledged Android malware that can capture and stream the victim's screen in real time, intercept app notifications, browse the filesystem, exfiltrate files, wipe data, and communicate with the command-and-control server via an encrypted channel.

The malware also features a hidden browser mode that attackers can use to access websites from the infected device using the victim's stored cookies.

An app injection system allows attackers to overlay fake login screens or inject malicious code into any app to steal the victim's account credentials.

The listed capabilities also include the option to inject payloads onto installed apps, which would make pinpointing the infection even more difficult, as long-trusted apps suddenly turn rogue.

The highlight, though, is the Play Store integration into Cellik's APK builder, which allows cybercriminals to browse the store for apps, select the ones they want, and create a malicious variant of them.

"The seller claims Cellik can bypass Google Play security features by wrapping its payload in trusted apps, essentially disabling Play Protect detection," explains iVerify.

"While Google Play Protect typically flags unknown or malicious apps, trojans hidden inside popular app packages might slip past automated reviews or device-level scanners."

BleepingComputer has contacted Google to ask if Cellik-bundled apps can indeed evade Play Protect, but a comment wasn't immediately available.

To stay safe, Android users should avoid sideloading APKs from dubious sites unless they trust the publisher, ensure Play Protect is active on the device, review app permissions, and monitor for unusual activity.