A new Android malware campaign is using the Hugging Face platform as a repository for thousands of variations of an APK payload that collects credentials for popular financial and payment services.
Hugging Face is a popular platform that hosts and distributes artificial intelligence (AI), natural language processing (NLP), and machine learning (ML) models, datasets, and applications.
It is considered a trusted platform unlikely to trigger security warnings, but bad actors have abused it in the past to host malicious AI models.
The recent campaign discovered by researchers at Romanian cybersecurity company Bitdefender leverages the platform to distribute Android malware.
The attack begins with victims being lured to install a dropper app called TrustBastion, which uses scareware-style ads claiming that the target’s device is infected. The malicious app is disguised as a security tool, claiming to detect threats such as scams, fraudulent SMS messages, phishing attempts, and malware.
Immediately after installation, TrustBastion shows a mandatory update alert with visual elements that mimic Google Play.
Fake Google Play page
Source: Bitdefender
Instead of directly serving malware, the dropper contacts a server linked to trustbastion[.]com, which returns a redirect to a Hugging Face dataset repository hosting the malicious APK. The final payload is downloaded from Hugging Face infrastructure and delivered via its content distribution network (CDN).
To evade detection, the threat actor uses server-side polymorphism that generates new payload variants every 15 minutes, Bitdefender says.
... continue reading