Hugging Face used to spread Android trojan TrustBastion

Bitdefender said cybercriminals have used Hugging Face as a distribution point for Android malware in a campaign that targets device access, credentials and lock screen information.

The security company linked the activity to a remote access trojan campaign that begins with a malicious Android application called TrustBastion. Bitdefender said the operators used social engineering, repeated malware builds and Android accessibility services during the infection chain.

Hugging Face hosts machine learning models and datasets and also supports broader developer tooling. Developers and researchers use the service across the Asia-Pacific region, including at the University of Sydney.

Bitdefender researchers said the platform's content controls did not prevent the hosting of the malware used in the campaign. Hugging Face says it scans uploads with ClamAV, an open-source antivirus engine.

Two-step infection

Bitdefender described a two-stage process. The first stage uses a dropper application. The second stage installs a malicious payload that provides remote access trojan functionality.

The infection chain begins when a user downloads TrustBastion. Bitdefender said the most likely route involves an advertisement or similar prompt. The message claims the phone is infected and urges the installation of a security application.

When its website was online, trustbastion[.]com claimed the app would detect scam and fraudulent SMS messages, phishing and malware. Bitdefender said TrustBastion contained no obviously dangerous functionality when first installed.

Once installed, the app displays a prompt that says an update is required to keep using the application. Bitdefender said the prompt uses visuals that resemble Google Play and Android system update dialogues.

Redirect chain

Bitdefender said the dropper then starts a network request to an encrypted endpoint hosted on trustbastion[.]com. The response does not directly deliver an Android package file, according to the researchers.

Instead, the server returns an HTML page that includes a redirect link. Bitdefender said the link points to a Hugging Face repository that hosts the malware payload. The company said captured network traffic showed the final APK downloaded directly from Hugging Face datasets.

The researchers said attackers often use established domains for delivery because security systems flag traffic from low-trust domains more quickly. They said the campaign used Hugging Face hosting as part of that approach.

Rapid rebuilding

Bitdefender said the campaign also relied on frequent changes to the payload. The company reported server-side polymorphism, with new payloads produced roughly every 15 minutes.

Bitdefender said analysis of the Hugging Face repository showed a high volume of commits in a short period. The company said the repository it reviewed was about 29 days old and had more than 6,000 commits at the time of investigation.

The repository later went offline, Bitdefender said. The researchers said the activity then moved to another link, with different icons and minor changes while the code remained the same.

Each upload represented a newly built APK with the same malicious functionality, Bitdefender said. The researchers said the changes aimed to evade hash-based detection.

Accessibility abuse

After installation, the second-stage payload requests permissions, Bitdefender said. It presents itself as a system component and claims to be a "Phone Security" feature.

The malware guides users through enabling Accessibility Services, according to the researchers. Bitdefender said the instructions aim to normalise the permission request and frame it as part of a security or verification step.

Bitdefender said the payload also requests permissions for screen recording, screen casting and overlay display. The company said these permissions allow observation and manipulation of on-screen content.

With permissions granted, Bitdefender said the remote access trojan monitors activity and captures screen content. It then exfiltrates data to a command-and-control server.

The researchers said the malware shows fraudulent authentication interfaces that attempt to collect credentials. Bitdefender said it tries to impersonate financial and payment services including Alipay and WeChat. The company said the malware can also capture lock screen information and authentication inputs.

Command server

Bitdefender said the malware maintains persistent communication with a command-and-control server using keep-alive connections. During its investigation, the company identified a command-and-control endpoint at IP address 154.198.48.57 on port 5000, with a domain linked to trustbastion[.]com.

Bitdefender said the same infrastructure served multiple roles. The researchers said it provided the payload's URL, loaded web views within the application to mimic legitimate functionality, transmitted stolen data and delivered configuration updates.

Regulatory scrutiny

The findings land as Hugging Face faces increased scrutiny in Australia over hosted content. Australia's eSafety Commissioner required Hugging Face to change its terms so account holders take steps to minimise the risks of uploaded models, including misuse to generate child sexual exploitation or pro-terror material.

The regulator can seek fines of up to $49.5m if Hugging Face fails to take action for breaches of its terms.

"Unfortunately, the space Hugging Face offers can also be used by cybercriminals for malicious purposes as the platform doesn't seem to have meaningful filters that govern what people can upload," said Bitdefender researchers in a statement.

Bitdefender said it expects attackers to keep using reputable hosting services and frequent payload changes as long as those methods reduce detection rates.