AI Detection for Android RATs Hiding in Google Play

Most teams still treat Google Play as a safety boundary. Cellik proves it isn’t.

This week’s reporting on Cellik, an Android remote access Trojan (RAT)-as-a-service, highlights a shift that matters for every security leader: attackers aren’t just distributing sketchy APKs anymore—they’re industrializing mobile spyware campaigns by wrapping malicious payloads inside legitimate apps pulled from trusted stores.

If you’re responsible for security operations, fraud, or endpoint defense, this is the mobile equivalent of “living off the land.” The app looks normal. The victim’s actions look normal. And the compromise often starts with nothing more exotic than social engineering.

What changes the odds in your favor is AI-driven mobile threat detection: behavior-based monitoring that spots what Cellik does (screen streaming, hidden browsing, OTP capture), not just what it is (a known signature).

What Cellik tells us about modern Android malware

Cellik is a reminder that mobile malware has matured into a service business. That maturity shows up in packaging, pricing, usability, and—most importantly—distribution workflows that reduce attacker effort.

The standout detail is Cellik’s Play Store integration: it can automatically browse the store, download a legitimate app, wrap it with a malicious payload, and output a repackaged APK for distribution. That’s not “new malware magic.” It’s automation applied to trust abuse.

And because the model is “RAT-as-a-service,” the threat isn’t limited to advanced crews. Lower-skill criminals can rent capability that used to require specialized development.

Why “trusted store” isn’t the same as “trusted app”

Android defenders have leaned on two assumptions for years:

1. Play Protect and store reviews catch most bad apps.
2. If users avoid sideloading, risk drops dramatically.

Cellik pressures both assumptions. Even if Play Protect performs well at scale, attackers can still:

• Hide inside repackaged popular apps
• Use social engineering to convince a user to install a “fixed,” “premium,” or “optimized” version
• Target victims in communities where sideloading is common (international travel, telecom promotions, gaming mods, workplace “required” apps)

So yes, “don’t sideload” remains good advice. But it’s not a strategy. It’s a hope.

What Cellik can do after infection (and why defenders should care)

Once installed, Cellik’s power comes from operator-grade remote control. According to the research referenced in the source article, the attacker can stream a victim’s screen and interact with the device as if it were in their hands.

That capability turns a phone into a credential factory.

The capability stack: control, collection, and concealment

Cellik includes a set of functions that—taken together—map cleanly to real enterprise impact:

• Screen streaming + remote input: defeats many “are you a bot?” checks because actions occur in a real session on a real device.
• Keylogging: captures credentials and sensitive messages.
• Notification access and history: exposes one-time passcodes (OTPs) and MFA prompts.
• Browser data theft: cookies and autofill credentials can lead to account takeover.
• File system and cloud directory access: increases data exfiltration and extortion risk.
• Encrypted exfiltration: makes traditional network inspection less effective.

Here’s the part that should make fraud teams sit up: if an attacker can remotely drive the phone, they can perform high-risk actions inside trusted apps (banking, payroll, CRM, email) while looking like the legitimate user.

App overlays: the “fake login” trick still works

Cellik also supports app injection/overlays—placing a fake login screen on top of a real app. Even seasoned users fall for this because the overlay matches branding and appears at a believable moment (e.g., “session expired, please sign in again”).

When you combine overlays with notification/OTP access, attackers can:

1. Steal username/password
2. Capture OTP
3. Complete login immediately

That’s why mobile RATs are so effective against organizations that invested heavily in MFA but didn’t invest equally in device integrity.

Why AI-based detection beats signature-based mobile defense here

Cellik’s distribution method and feature set are built to slip past controls that rely on known indicators.

AI helps because it can focus on behavioral truth: the patterns a normal app and normal user don’t exhibit.

Behavior signals that AI can flag early

A practical AI detection program for Android endpoints doesn’t need to “understand Cellik.” It needs to recognize anomalies that correlate with remote control and stealthy exfiltration.

Examples of high-value signals:

• Unusual accessibility service usage (a common abuse path for overlays and input automation)
• Screen capture/streaming patterns that don’t match user activity
• Background browser sessions or WebView activity with no foreground UI
• Abnormal notification harvesting (especially from authenticator, banking, or messaging apps)
• Suspicious app lifecycle behavior right after install (permission prompts, new services, persistence attempts)
• New outbound connections to rare domains/IPs following sideload events

AI earns its keep when it correlates these signals across time, rather than treating them as isolated alerts.

The real win: correlation across devices and campaigns

One compromised phone is an incident. Ten phones with similar post-install behaviors is a campaign.

AI-driven threat intelligence can cluster detections by:

• Payload behavior fingerprints
• Similar C2 infrastructure characteristics
• Shared repackaging artifacts
• Common social engineering lures (file names, installers, delivery channels)

That clustering is what turns mobile security from reactive cleanup into campaign disruption.

A practical defense plan for Cellik-style threats

Stopping Cellik isn’t about a single control. It’s about building a mobile defense stack that assumes attackers will abuse trust.

1) Reduce sideloading risk without breaking the business

If your answer is “ban sideloading,” you’ll lose the argument the first time a business unit needs a regional app, a beta build, or a partner’s installer.

What works better:

• Conditional access: restrict corporate app access (email, VPN, SSO) to devices that meet integrity checks.
• Allowlisting for approved APK sources and signing keys.
• User friction in the right place: require justification + ticketing for manual installs on managed devices.

2) Treat Android permissions as a risk-scoring engine

Permissions aren’t just toggles; they’re a story. AI can help you read it.

A simple rule: high privilege + low reputation + recent install should spike risk.

Prioritize monitoring and response for apps requesting combinations like:

• Accessibility + notification access
• Overlay permissions + background services
• Device admin privileges + unknown publisher

3) Add AI-driven EDR for mobile (and integrate it into SOC workflows)

Mobile telemetry is only useful if it ends up in the same operational loop as everything else.

If you’re evaluating AI-powered endpoint detection and response for Android, require these capabilities:

• Behavioral detections (not just signatures)
• Automated containment actions (network isolate, revoke tokens, block app)
• Identity tie-in (force re-auth, step-up MFA, token invalidation)
• Case management exports for the SOC

The goal isn’t “more alerts.” It’s fewer incidents that reach account takeover.

4) Build “remote control” detections into fraud and IAM

Cellik blurs the line between malware and fraud. Your IAM and fraud controls should reflect that.

Strong options:

• Device binding for high-risk actions (new payee, payroll change, wire approval)
• Behavioral biometrics tuned to mobile sessions (gesture cadence, navigation patterns)
• Step-up checks when the device shows signs of automation/remote control

If a phone is being driven by an attacker, the user’s behavior often becomes too perfect or too fast.

“But it’s in Google Play—how can we still get hit?” (Quick Q&A)

Can Cellik infect a phone without exploits?

Yes. The model described in the source reporting relies on social engineering and user trust, not a kernel exploit chain. That’s why it scales.

If we use MFA, are we safe?

Not on its own. A RAT that can read notifications and capture OTPs can neutralize many MFA flows. You need device integrity + behavioral detection.

Is this mostly a personal-device problem?

No. BYOD and contractor access make it an enterprise problem fast. If a personal device has access to corporate email, SSO, or admin consoles, it’s in scope.

Where AI in cybersecurity fits next

Cellik is a clean example of why the AI in Cybersecurity series keeps coming back to the same point: attackers automate trust abuse, so defenders have to automate detection and response.

Signature-based approaches still matter, but they’re outmatched when malware is repackaged, encrypted, and distributed through believable channels. Behavior-based AI systems—paired with strong identity controls—catch the actions that can’t be disguised for long.

If your mobile security program still depends on “we tell users not to sideload,” it’s time to upgrade the plan. What would it take for your SOC to detect a compromised phone before it becomes an account takeover ticket on Monday morning?