A large-scale Android malware campaign has been uncovered that abuses Hugging Face as a distribution channel for thousands of malicious APK variants designed to steal credentials from popular financial and payment services. The operation highlights how trusted developer platforms are increasingly being leveraged as part of modern malware delivery chains.
Trusted AI platforms abused for malware distribution
Hugging Face is widely used by developers and researchers to host and distribute artificial intelligence, machine learning, and natural language processing models, datasets, and applications. Due to its strong reputation and legitimate use cases, content delivered from the platform is far less likely to raise suspicion or trigger automated security controls.
Researchers at Bitdefender have identified a campaign that exploits this trust by hosting malicious Android payloads inside Hugging Face dataset repositories. While the platform has previously been abused to host harmful AI models, this campaign demonstrates its misuse as a scalable malware distribution backend.
Infection chain and dropper-based delivery
The attack begins with social engineering. Victims are lured into installing a malicious Android dropper application named TrustBastion, which is promoted through scareware-style advertisements. These ads falsely warn users that their device is infected and urge immediate action.
Disguised as a mobile security tool, TrustBastion claims to protect against scams, phishing attempts, fraudulent SMS messages, and malware. Immediately after installation, the app presents a mandatory update prompt designed to closely mimic the appearance of the Google Play interface.
Rather than delivering the malware directly, the dropper contacts an attacker-controlled server associated with trustbastion[.]com. The server responds with a redirect to a Hugging Face dataset repository, from which the final malicious APK is downloaded via Hugging Face’s content delivery network (CDN). This indirect delivery approach significantly reduces detection rates.
Massive polymorphic malware generation
To further evade detection, the attackers implemented server-side polymorphism. According to Bitdefender, a new APK variant is generated approximately every 15 minutes, resulting in thousands of unique samples.
At the time of investigation, the malicious Hugging Face repository was around 29 days old and had accumulated more than 6,000 commits, illustrating the scale and automation behind the operation. Although the original repository was taken down, the campaign quickly resurfaced under a new name, Premium Club, using different branding while retaining the same core malicious code.
Abuse of Android Accessibility Services
The final payload is a fully featured Android remote access trojan (RAT) that aggressively abuses Android’s Accessibility Services. The malware frames the permission request as a necessary security feature, convincing users to grant extensive control over their device.
Once enabled, Accessibility access allows the malware to display screen overlays, capture screenshots, simulate user gestures such as swipes and taps, block uninstallation attempts, and monitor user activity in real time. This level of control effectively hands full visibility and interaction capabilities to the attacker.
Credential theft and persistent command-and-control
Bitdefender reports that the malware continuously monitors the victim’s activity and exfiltrates captured data to its command-and-control (C2) infrastructure. It displays fake login screens impersonating well-known financial platforms, including Alipay and WeChat, to harvest credentials.
In addition to stealing usernames and passwords, the malware attempts to capture the device’s lock screen PIN, enabling deeper compromise and potential account takeover. The malware maintains a persistent connection to the C2 server, which is used to receive commands, push configuration updates, and deliver fake in-app content to make the dropper appear legitimate over time.
Takedown efforts and defensive guidance
After being notified by Bitdefender, Hugging Face removed the malicious datasets hosting the APK payloads. Bitdefender also published indicators of compromise (IOCs) covering the dropper application, network infrastructure, and associated malware packages to aid detection and response efforts.
From a defensive standpoint, Android users should avoid installing applications from third-party app stores or sideloading APK files. Reviewing requested permissions—particularly Accessibility Services—and ensuring they align with the app’s stated functionality is critical. This campaign demonstrates how even well-known, trusted platforms can be repurposed by attackers, reinforcing the need for user vigilance and layered mobile security controls.