BITDEFENDER researchers uncovered an Android RAT (remote access trojan) campaign utilizing the Hugging Face platform for payload delivery. The campaign employs social engineering tactics to distribute a malicious dropper app called TrustBastion, enticing users to install it under the guise of a security update.
Key findings include: a two-step infection chain initiated by a dropper, the use of Hugging Face for malicious APK hosting, server-side polymorphism with new payloads generated every 15 minutes, and abuse of Accessibility Services for persistent control and credential theft. The malware communicates with a centralized command-and-control server to manage payloads and exfiltrate data, leveraging fake interfaces to capture sensitive information. The TrustBastion repository was eventually replaced by a new app, Premium Club, while maintaining the same underlying malicious code.