Thousands of viruses for Android. They bypass security and steal data
Dangerous applications on a popular platform
Cybercriminals are using the Hugging Face platform – a popular repository of AI models – to distribute thousands of malicious Android APK variants. These, among other things, steal login details for financial applications.
The attack begins with the TrustBastion droper, impersonating an antivirus tool that lures people with scareware ads about allegedly infecting the device. Once installed, the app pretends to be an update from Google Play and downloads payload from the Hugging Face repository using its trusted CDN infrastructure, which helps bypass security filters.
According to information from Bitdefender, the trustbastion(.)com server generates new APK variants every 15 minutes, creating over 6,000 APK variants in 29 days. code mutations. Even deleting the repository did not help, because the campaign was quickly resumed under the name “Premium Club”.
The main payload is a Remote Access Trojan (RAT) that abuses Android’s Accessibility Services under the guise of threat protection – allowing screen overlays, screenshot capture, uninstall blocking, and gesture simulation. The malware monitors activity, sends data to the C2 server, displays fake bank logins, and attempts to steal the screen lock code while downloading instructions and updates from C2.
Bitdefender informed Hugging Face, which removed the infected datasets, and the company published compromise metrics for the droper and network. That’s why Android users should avoid non-Google Play apps, check the permissions (especially Accessibility) of already installed programs, and don’t manually install APKs from unknown sources. Besides, the latter will soon become much more difficult.
