What happened
An Android malware campaign is using the Hugging Face platform to host and distribute thousands of malicious APK variants. Researchers at Bitdefender found that attackers abused the trusted AI and machine learning repository to serve multiple payloads associated with a campaign centered around a dropper app called “TrustBastion.” The attack begins with victims being lured into installing the dropper, which masquerades as a mobile security tool with scareware-style ads claiming the device is infected. Once installed, TrustBastion leads users to APKs hosted on Hugging Face that collect credentials for popular financial and payment services. The malicious APKs vary in payload but stem from the same underlying malware distribution operation hosted on datasets within the platform.
Who is affected
Android users who install the TrustBastion dropper app are affected, as execution of the app can lead to the installation of malicious APKs that harvest credentials for financial and payment services.
Why CISOs should care
This campaign highlights how threat actors can leverage trusted development and repository platforms like Hugging Face to distribute polymorphic Android malware, expanding the attack surface for credential theft and mobile compromise.
3 practical actions
- Audit Android APK installs. Investigate sources and signatures of recently installed APKs for similarities to the campaign.
- Monitor credential harvesting vectors. Look for anomalous credential transmissions from enterprise mobile devices.
- Educate users on sideload risks. Ensure policies discourage sideloading apps from unverified sources.