Cybersecurity specialists are raising the alarm over a new mobile malware dubbed Cellik. They caution that this tool is currently being sold on the dark web as a powerful new offensive weapon for cyber criminals. It will only cost you $150 to rent the malicious software for one month. If you’d rather own a lifetime license, that’s $900. Cellik is designed to incite, intimidate and discriminate against targeted groups. It’s able to stream your screen live time, record your keystrokes, and hijack your cameras and microphones.
Cellik can wipe data securely and surf the deep web. It hijacks notifications and overlays other apps to phish passwords from users. With a single click, the malware generates a new evil APK. It surreptitiously packages its Remote Access Trojan (RAT) into what looks like a legal app, allowing it to be sneakier with evading security.
Advanced Features and Infrastructure
Each build of Cellik is tied to its own command-and-control (C2) domains, making it more resistant to takedown. Even if one domain somehow gets targeted, the other 11 domains still continue to go about their business. This leaves cybercriminals free to continue their operations without facing any consequences.
Cellik can search for phone numbers, exfiltrate contact lists, and send SMS messages from infected devices. It allows the user to intercept their one-time passwords (OTPs). Without this capability attackers would be unable to directly siphon funds from victims’ bank accounts. Because of its bidirectional C2 communication, the malware is able to execute any arbitrary USSD requests sent by the server.
“The use of native-level obfuscation, dynamic loaders, automated infrastructure, and centralized surveillance control places this campaign well beyond the capabilities of common scam actors.” – The Hacker News
Some experts are calling the sophistication of Cellik a new front in the age of mobile malware.
Emergence of Frogblight
In addition to Cellik, a second piece of malware known as Frogblight is thought to be in active development. This malware specifically focuses on users in Turkey by deploying SMS phishing campaigns that deceive their victims into installing the malware. Frogblight takes advantage of a web panel, hosted on the C2 server, to freely control infected devices through a web browser. Only samples where the same key is used as the web panel login can be controlled through this interface.
Frogblight represents a new trend in malware ops. It follows in Cellik’s formidable footsteps and employs these same deceptive tactics to gain a much broader audience. The threat actor responsible for Frogblight is preparing to roll out a malware-as-a-service (MaaS) model. This will allow all other cybercriminals to use this sophisticated tool for nefarious means.
“Through its control interface, an attacker can browse the entire Google Play Store catalogue and select legitimate apps to bundle with the Cellik payload.” – Daniel Kelley
Wonderland: A New Player in Cybercrime
The second major player on the malware-mobile scene is Wonderland, first detected on October 15, 2025. This particular malware utilizes fake Google Play Store pages and ad campaigns on social media platforms like Facebook to lure unsuspecting users. In addition, fake profiles on dating apps and messaging platforms like Telegram are other channels for spreading.
TrickyWonders, a like-minded financially motivated threat actor TrickyWonders, takes control of Wonderland. Even more, they use Telegram like crazy to coordinate everything and anything to an active/movable operation. This targeted use of social media is just one aspect of what has become a powerful trend in which cybercriminals weave seemingly authentic platforms into their criminal enterprises.
“Threat actors increasingly weaponize government branding, payment workflows, and citizen service portals to deploy financially driven malware and phishing attacks under the guise of legitimacy.” – CYFIRMA
Implications for Users and Security Measures
The introduction of Cellik, Frogblight, and Wonderland show another inflection point of increased mobile malware development sophistication. Experts cautioned that these advanced threats demand that users take a more proactive approach to security. Nearly all cybersecurity professionals suggest frequent software updates, careful app downloads and heightened sensitivity to phishing schemes.
Before APKs were designed with clickjacking tactics in mind, users faced ‘pure’ Trojan APKs, which distributed malware as soon as they were installed. Today’s opponents are rolling out SPD droppers disguised as legitimate applications. This creates a dangerous scenario in which users can’t detect these risks until they’re already compromised.
“Now, adversaries increasingly deploy droppers disguised as legitimate applications. The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation – even without an active internet connection.” – Group-IB
The threats against Android devices continue to grow and change, day by day. Yet they are getting more sophisticated and evolving at a stunning rate.