An Android malware campaign is reportedly abusing Hugging Face’s public hosting infrastructure to distribute a remote access trojan (RAT). The operation relies on social engineering, staged payload delivery, and abuse of Android permissions to achieve persistence over infected devices.
According to Bitdefender Labs findings, the campaign begins with a seemingly legitimate Android application that acts as a dropper. Users encounter the lure through ads or pop-up prompts warning of fake infections. Once installed, the app fetches a second-stage payload hosted on Hugging Face, allowing the attackers to blend malicious traffic with legitimate developer activity and avoid immediate detection.
The researchers have flagged the campaign, not just for its use of a trusted AI development platform, but also its scale and automation that includes thousands of unique Android packages, with new variants generated frequently to evade signature-based defenses.
Scareware lure and dropper deployment
The infection begins by tricking Android users into installing the malicious security app, “TrustBastion.” The app serves as a dropper, code that appears benign until it triggers the delivery of a more dangerous payload.
“In the most likely scenario, a user encounters an advertisement or similar prompt claiming the phone is infected and urging the installation of a security platform, often presented as free and packed with ‘useful’ features,” the researchers said in a blog post. “When its website was online (trustbastion[.]com), it promised to detect scams and fraudulent SMSes, phishing, malware, and much more.”
Once launched, the app immediately displays a prompt styled to look like an Android system or Google Play update notification, the interface many users are conditioned to trust. Accepting the “update” initiates a network request to an encrypted endpoint on the attacker’s infrastructure, which in turn redirects the victim to a Hugging Face dataset hosting a malicious APK.
Abuse through smart hosting
Hugging Face is a go-to platform for developers hosting machine learning models, datasets, and tooling. According to Bitdefender, the resource is now being leveraged to mask malicious downloads amidst legitimate activity. While the platform uses ClamAV scanning on uploads, these controls currently fall short of filtering out cleverly disguised malware repositories, the researchers noted.
“Analysis of the Hugging Face repository revealed a high volume of commits over a short period of time,” the researchers said. “New payloads were generated roughly every 15 minutes. At the time of investigation, the repository was approximately 29 days old and had accumulated more than 6,000 commits.”
The repository was eventually taken offline, but the operation resurfaced elsewhere with minor cosmetic changes, while the underlying code remained unchanged.
Installation, permissions, and persistent RAT
Once the second-stage payload installs, the application poses as a system component for a “Phone Security” feature and guides the user through enabling highly sensitive Android permissions.
Among the requested permissions are Accessibility Services, screen recording, screen casting, and overlay display rights. Together, these give the malware extensive visibility into user interaction and the ability to capture on-screen content across apps.
The researchers said these capabilities can be used to monitor and record user activity in real time, display fake authentication interfaces mimicking popular financial platforms (like Alipay and WeChat) to harvest credentials, capture lock screen patterns and biometric inputs, and exfiltrate harvested data back to an actor-controlled command and control (C2) server.
Bitdefender said it contacted Hugging Face before publishing the disclosure, and the latter quickly took down the datasets containing malware. Hugging Face did not immediately respond to CSO’s request for comments.
For additional support, Bitdefender has shared a list of indicators of compromise (IoCs), including dropper hashes, IPs, domains, and package names.