Bitdefender has reported that cybercriminals are exploiting Hugging Face as a distribution point for Android malware in a campaign aimed at gaining unauthorized access to devices, credentials, and lock screen information. This activity is associated with a remote access trojan campaign that initiates with a malicious Android application named TrustBastion. According to Bitdefender, the perpetrators have employed social engineering tactics, repeated malware builds, and Android accessibility services throughout the infection chain.
Hugging Face, known for its hosting of machine learning models and datasets, serves a diverse community of developers and researchers across the Asia-Pacific region, including institutions such as the University of Sydney. However, Bitdefender’s findings indicate that the platform’s content controls failed to prevent the hosting of malicious software during this campaign. Hugging Face has stated that it utilizes ClamAV, an open-source antivirus engine, to scan uploads.
Bitdefender outlined a two-stage infection process. The initial stage involves a dropper application, while the second stage installs a malicious payload that enables remote access trojan capabilities. The infection process begins when a user downloads TrustBastion, typically triggered by an advertisement or prompt that falsely claims the device is infected and recommends the installation of a security application.
When TrustBastion’s associated website was active, it claimed that the app could detect scam and fraudulent SMS messages, as well as phishing and malware. Importantly, Bitdefender noted that TrustBastion exhibited no overtly harmful functionality upon initial installation. Following installation, the app prompts users to perform an update, using visuals that mimic legitimate Google Play and Android system update dialogues.
According to Bitdefender, the dropper then initiates a network request to an encrypted endpoint on trustbastion[.]com. Instead of directly delivering an Android package file, the server responds with an HTML page that contains a redirect link to a Hugging Face repository hosting the malware payload. Analysis of captured network traffic revealed that the final APK was downloaded directly from Hugging Face datasets.
Researchers indicated that attackers frequently utilize established domains for malware distribution, as traffic from low-trust domains is generally flagged by security systems more quickly. By leveraging Hugging Face’s hosting capabilities, the campaign sought to enhance its effectiveness.
Bitdefender also highlighted the campaign’s reliance on rapid payload changes. The research indicated a form of server-side polymorphism, with new payloads being generated approximately every 15 minutes. The analyzed Hugging Face repository exhibited a high volume of commits, with more than 6,000 updates documented within a span of about 29 days. Following the investigation, the repository was taken offline, only for the activity to resume under a different link with minor cosmetic changes while maintaining the underlying code.
Upon installation, the second-stage payload requests various permissions, presenting itself as a legitimate system component under the guise of a “Phone Security” feature. Bitdefender noted that the malware guides users through enabling Accessibility Services, framing the request as part of a necessary security or verification step. This stage also seeks permissions for screen recording, screen casting, and overlay display, enabling the malware to observe and manipulate on-screen content.
Once the necessary permissions are granted, the remote access trojan can monitor user activity and capture screen content, subsequently exfiltrating data to a command-and-control server. The malware is designed to show fraudulent authentication interfaces, attempting to collect user credentials by impersonating financial services such as Alipay and WeChat. Additionally, it can capture lock screen information and authentication inputs.
Bitdefender identified persistent communication between the malware and a command-and-control server, which used keep-alive connections. Their investigation uncovered a command-and-control endpoint linked to the IP address 154.198.48.57 on port 5000, associated with the trustbastion[.]com domain. This infrastructure served multiple functions, including delivering the payload URL, loading web views to imitate legitimate features, transmitting stolen data, and providing configuration updates.
The findings come at a time when Hugging Face is facing intensified scrutiny in Australia due to concerns over the content it hosts. Australia’s eSafety Commissioner has mandated that Hugging Face modify its terms to ensure account holders take steps to mitigate the risk of uploaded models being misused for generating child sexual exploitation or pro-terror material. The regulator has the authority to impose fines of up to $49.5 million for breaches of these terms.
Bitdefender’s researchers noted, “Unfortunately, the space Hugging Face offers can also be used by cybercriminals for malicious purposes as the platform doesn’t seem to have meaningful filters that govern what people can upload.” The security firm anticipates that attackers will continue to leverage reputable hosting services and regularly modify their payloads to diminish detection rates.
See also
Meta Stock Surges 8% on Q4 Earnings Beat; Unveils $115B–$135B AI Capex Plan for 2026
South Korea Launches Groundbreaking AI Basic Act, Addressing Safety and Mental Health Risks
Perplexity Announces $750 Million Microsoft Azure Deal for Multi-Model AI Access
Singapore’s ESR Strategy: Boosting Global Competitiveness and AI Leadership in Turbulent Times
Dr. Matthew Meyer Explores AI’s Impact on Humanity at UW-Eau Claire Seminar on Feb. 5
