An Android malware campaign is reportedly exploiting Hugging Face’s public hosting infrastructure to distribute a remote access trojan (RAT). This operation utilizes social engineering, staged payload delivery, and the abuse of Android permissions to maintain persistence on infected devices.
Bitdefender Labs’ findings indicate the campaign initiates with a seemingly legitimate Android application functioning as a dropper. Users are typically enticed by ads or pop-up prompts that falsely warn of device infections. Upon installation, this app retrieves a second-stage payload from Hugging Face, enabling attackers to camouflage malicious traffic within legitimate developer activity and evade immediate detection.
The campaign has been highlighted not only for its exploitation of a trusted AI development platform but also for its extensive scale and automation. This involves thousands of unique Android packages, with new variants frequently generated to bypass signature-based defenses.
Scareware lure and dropper deployment
The infection begins by tricking Android users into installing the malicious security app, “TrustBastion.” The app serves as a dropper, code that appears benign until it triggers the delivery of a more dangerous payload.
A user most likely encounters an advertisement or similar prompt claiming the phone is infected, urging the installation of a security platform often presented as free and feature-rich, according to a Bitdefender blog post. When its website (trustbastion[.]com) was active, it claimed to detect scams, fraudulent SMSes, phishing, and malware.
Once launched, the app immediately displays a prompt styled to look like an Android system or Google Play update notification, the interface many users are conditioned to trust. Accepting the “update” initiates a network request to an encrypted endpoint on the attacker’s infrastructure, which in turn redirects the victim to a Hugging Face dataset hosting a malicious APK.
Abuse through smart hosting
Hugging Face serves as a prominent platform for developers to host machine learning models, datasets, and tools. Bitdefender reports that this resource is now being exploited to conceal malicious downloads within legitimate activity. Although the platform employs ClamAV scanning for uploads, these measures currently prove insufficient in filtering out cleverly disguised malware repositories.
Analysis of the Hugging Face repository indicated a high volume of commits within a short timeframe. New payloads were reportedly generated approximately every 15 minutes. During the investigation, the repository was about 29 days old and had amassed over 6,000 commits.
The repository was eventually taken offline, but the operation resurfaced elsewhere with minor cosmetic changes, while the underlying code remained unchanged.
Installation, permissions, and persistent RAT
Once the second-stage payload installs, the application poses as a system component for a “Phone Security” feature and guides the user through enabling highly sensitive Android permissions.
Among the requested permissions are Accessibility Services, screen recording, screen casting, and overlay display rights. Together, these give the malware extensive visibility into user interaction and the ability to capture on-screen content across apps.
These capabilities can be exploited to monitor and record user activity in real time, present fake authentication interfaces that mimic popular financial platforms (such as Alipay and WeChat) to steal credentials, capture lock screen patterns and biometric inputs, and exfiltrate collected data to an attacker-controlled command and control (C2) server.
Bitdefender reportedly contacted Hugging Face prior to publishing its disclosure, leading to the swift removal of the datasets containing malware. Hugging Face did not immediately respond to CSO’s request for comments.
For further assistance, Bitdefender has provided a list of indicators of compromise (IoCs), which includes dropper hashes, IP addresses, domains, and package names.
