Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cellik Android malware-as-a-service trojanized-app builder

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The Cellik Android malware-as-a-service has appeared on underground forums with a builder that can create trojanized versions of Google Play Store apps, increasing the risk of stealthy infections. The malware is advertised to capture and stream screens, intercept notifications, browse files, exfiltrate data, and wipe devices. It also includes fake login overlays and a hidden browser mode that can reuse stored cookies, which raises the likelihood of credential theft. The seller claims the packaging may help evade Play Protect, but that evasion claim is unconfirmed.

Related Happenings

Premium Deception Android malware campaign

Campaign
First: 20.05.2026 18:30 Last: 20.05.2026 18:30 Sources 1

About this happening: The **Premium Deception** campaign used **nearly 250 fake Android apps** to enroll victims in premium mobile billing subscriptions, creating direct fraud risk across multiple coun...

Open Happening

Trapdoor Android malvertising and ad-fraud campaign

Campaign
First: 19.05.2026 19:38 Last: 19.05.2026 19:38 Sources 1

About this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...

Open Happening

FakeWallet Apple App Store wallet-stealing apps

Malware Activity
First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...

Open Happening

Mirax Android banking trojan with residential proxy nodes

Malware Activity
First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...

Open Happening

SparkCat malware variant in App Store and Google Play apps steals wallet recovery phrases

Malware Activity
First: 03.04.2026 12:10 Last: 03.04.2026 12:10 Sources 1

About this happening: The **SparkCat** malware resurfaced in a new variant inside apps on the **Apple App Store** and **Google Play Store**, increasing the risk of mobile crypto wallet theft. The malwa...

Open Happening

Timeline

  1. 17.12.2025 00:59 2 articles · 5mo ago

    Cellik Android malware-as-a-service appears on underground forums

    Initial Disclosure

    Cellik, a new Android malware-as-a-service, is being advertised on underground cybercrime forums with an APK builder that can wrap payloads inside apps from the Google Play Store to create trojanized variants that keep the original interface and functionality. The service is described as able to capture and stream screens, intercept notifications, browse the filesystem, exfiltrate files, wipe data, use a hidden browser mode with stored cookies, and inject fake login screens for credential theft, while also communicating with command-and-control servers over an encrypted channel and claiming, unconfirmed, that trusted-app packaging may help bypass Play Protect.

    Show sources
    Open in new tab