Hugging Face platform hijacked to send out Android malware - here's what we know so far

News
By published

Popular AI platform Hugging Face is being used for Android malware

Android reboot interface
(Image credit: Shutterstock / tomeqs)
  • Hackers used Hugging Face to deliver Android malware via fake antivirus app TrustBastion
  • Malware steals screenshots, lock codes, and payment logins, exfiltrating data to attacker servers
  • Campaign persisted with new repositories despite takedown, highlighting risks of unverified app source

Hackers are abusing the Hugging Face platform to deliver Android malware which can entirely take over compromised endpoints, experts have warned.

Hugging Face is an open platform for AI tools and machine learning, where users can host and distribute AL, NLP, or ML models - but it seems it also sometimes used as a launchpad for poisoned models too.

In this case, the crooks used it to deliver Android malware, cybersecurity researchers at Bitdefender noted, starting with a dropper app called TrustBastion.

Thousands of commits

This app acts like an Android antivirus solution - it offers virus protection, defense against phishing, malware, and fraudulent SMS messages. However, TrustBastion engages in scareware - as soon as the victim installs it, it says the device is infected with malware. Then, it demands the user update the app, which is when the malicious code is actually installed.

To deliver the malware, TrustBastion connects to a third-party server, which redirects to a Hugging Face repository where the malicious APK is hosted. From there, the malware is downloaded and delivered via Hugging Face’s CDN.

While these types of campaigns are rather common, unfortunately this one was also successful. In less than a month of activity, it accumulated more than 6,000 commits, Bitdefender said. To make matters worse, as soon as the campaign was spotted and terminated, a new repository popped up, named ‘Premium Club’, using new icons, but retaining the same malicious code.

The malware itself is rather powerful. It can grab screenshots, display fake login interfaces for popular payment services, and steal the lock screen code. Everything is then exfiltrated to a third-party server.

The best way to defend against this type of malware is to only download Android apps from reputable sources, such as the Google Play Store, or the Galaxy Store. Also, make sure to read through the reviews, and be mindful of the number of downloads and overall rating.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.