Cellik Android malware-as-a-service trojanized-app builder
Malware Activity
Summary
Hide ▲
Show ▼
The Cellik Android malware-as-a-service has appeared on underground forums with a builder that can create trojanized versions of Google Play Store apps, increasing the risk of stealthy infections. The malware is advertised to capture and stream screens, intercept notifications, browse files, exfiltrate data, and wipe devices. It also includes fake login overlays and a hidden browser mode that can reuse stored cookies, which raises the likelihood of credential theft. The seller claims the packaging may help evade Play Protect, but that evasion claim is unconfirmed.
Related Happenings
RedWing Android bank-fraud malware rental service
Malware Activity
H score21
First: 07.07.2026 20:10
Last: 07.07.2026 20:10
Sources 1
About this happening:
The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
RedWing Android bank-fraud malware rental service
Malware ActivityAbout this happening: The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/Service
H score11
First: 03.07.2026 12:35
Last: 03.07.2026 12:35
Sources 1
About this happening:
**Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/ServiceAbout this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/Service
H score10
First: 29.05.2026 15:08
Last: 29.05.2026 15:08
Sources 1
About this happening:
Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/ServiceAbout this happening: Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
Premium Deception Android malware campaign
Campaign
H score38
First: 20.05.2026 18:30
Last: 20.05.2026 18:30
Sources 1
About this happening:
The **Premium Deception** campaign used **nearly 250 fake Android apps** to enroll victims in premium mobile billing subscriptions, creating direct fraud risk across multiple coun...
Premium Deception Android malware campaign
CampaignAbout this happening: The **Premium Deception** campaign used **nearly 250 fake Android apps** to enroll victims in premium mobile billing subscriptions, creating direct fraud risk across multiple coun...
Trapdoor Android malvertising and ad-fraud campaign
Campaign
H score39
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Timeline
-
17.12.2025 00:59 2 articles · 6mo ago
Cellik Android malware-as-a-service appears on underground forums
Initial DisclosureCellik, a new Android malware-as-a-service, is being advertised on underground cybercrime forums with an APK builder that can wrap payloads inside apps from the Google Play Store to create trojanized variants that keep the original interface and functionality. The service is described as able to capture and stream screens, intercept notifications, browse the filesystem, exfiltrate files, wipe data, use a hidden browser mode with stored cookies, and inject fake login screens for credential theft, while also communicating with command-and-control servers over an encrypted channel and claiming, unconfirmed, that trusted-app packaging may help bypass Play Protect.
Show sources
- Cellik Android malware builds malicious versions from Google Play apps — www.bleepingcomputer.com — 17.12.2025 00:59
- Cellik Android malware builds malicious versions from Google Play apps — www.bleepingcomputer.com — 17.12.2025 00:59