Cellik Android RAT (Oct – Dec 2025)
Targeted Sectors
Users of popular apps like:
· Spotify
· Mobile gaming apps.
Targeted Countries
· Global
BLUF (Bottom Line Up Front)
Cellik is a high-capability, low-cost Android RAT discovered in December 2025 that provides full device surveillance (live screen streaming, microphone/camera access) by trojanizing legitimate Google Play apps.
Date of First Reported Activity
· Identified in early December 2025.
Date of Last Reported Activity Update
· December 17, 2025.
APT Names
Criminal Organizations
Discovered within broader cybercrime networks; often associated with MaaS (Malware-as-a-Service) offerings on underground forums.
Malware Names
Cellik RAT
Malware Samples
Unable to locate a sample in OS at this time
Tools Used
One-click APK builder (for wrapping payloads into legitimate apps), hidden web browsers, and app-injection systems.
TTPs
· T1406 (Obfuscated Files or Information): Uses packing and encryption to hide malicious code within legitimate APKs.
· T1517 (Access Accessibility Service): Abuses Android Accessibility Services to monitor UI and simulate taps/swipes.
· T1430 (Location Tracking): Real-time GPS tracking capabilities.
· T1636 (Audio Capture): Remote activation of microphone for eavesdropping.
· T1437 (Standard Application Layer Protocol): Communicates with C2 via encrypted HTTP/S channels.
Delivery Method
Trojanized legitimate apps distributed via third-party app stores, romance scams, or social engineering links.
Email Samples
No specific widespread email templates reported yet; delivery primarily relies on smishing (SMS phishing) and social media lures.
Suggested Rules / potential hunts
These are indicator rules / potential hunts they are likely to be noisy
Suricata
(Network Detection)
Detection of Unsecured Configuration Retrieval
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE Cellik RAT Suspicious Config Request (HTTP)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".apk"; content:"/config/"; sid:2025001; rev:1;)
Detection of Real-time Screenshot Exfiltration
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE Cellik RAT Live Screen Streaming Traffic"; flow:established,to_server; dsize:>1000; stream_size:both,>50000; sid:2025002; rev:1;)
SentinelOne
(Endpoint Hunting/STAR Rules)
Hunt for Hidden Browser Activity
Identify processes launching invisible browser instances (often used by Cellik for phishing/web abuse)
ObjectType = "Process" AND (ProcessName CONTAINS "WebView" OR ProcessName CONTAINS "Browser") AND CommandLine CONTAINS "--headless" AND User != "root"
Hunt for Malicious File Paths
Look for binaries executing from temporary or unconventional directories used by RATs to evade detection
ObjectType = "Process" AND (FilePath CONTAINS "/tmp/" OR FilePath CONTAINS "/data/local/tmp/") AND NOT (ProcessName IN ("legit_app1", "legit_app2"))
Suspicious Screen Capture Permissions:
Monitor for apps requesting android.permission.PROJECT_MEDIA (used for screen streaming) without user interface interaction.
Splunk
(Log Analysis & Correlation)
Identify High-Volume Exfiltration Peaks:
This hunt finds devices sending unusually large amounts of data to external IPs, which may indicate active screen streaming
index=suricata event_type=flow | eval total_bytes = out_bytes + in_bytes | stats sum(total_bytes) as total_traffic by src_ip, dest_ip | where total_traffic > 100000000
Correlation of Cellik Config Requests:
index=suricata http.url="*/config/*.apk" | stats count by src_ip, http.hostname, http.url
References
IVerify
· hxxps://iverify.io/blog/hyperrat-a-new-android-rat-sold-on-cybercrime-networks
