Attackers Exploit Hugging Face Hosting for Android RAT Payload

A new Android threat campaign leverages social engineering in conjunction with a legitimate machine learning platform to spread dangerous malware across devices.

The attack begins when users see fake security alerts claiming their phones are infected and need protection. These deceptive prompts push users to download a fake security app called TrustBastion, which initially appears harmless.

However, once installed, this app becomes the starting point for a complex infection chain that can give attackers full control over compromised Android devices.

The campaign exploits Hugging Face, a popular platform used by developers and researchers to share machine learning models and datasets.

Instead of relying on suspicious domains that could be blocked, attackers abuse this trusted service to host and deliver their malicious payloads.

This approach is particularly dangerous because Hugging Face is widely recognized as a legitimate platform, making security tools less likely to flag traffic coming from it. The platform claims all uploads are scanned, but the attack shows gaps in current security measures.

After installation, TrustBastion displays a fake update notification that closely mimics legitimate Google Play or Android system dialogs.

Bitdefender researchers identified that when users click to update, the app connects to a server that redirects them to a Hugging Face repository hosting the actual malicious Android application.

This two-stage delivery process helps attackers avoid immediate detection and increases the success rate of infections.

How Attackers Maintain Control and Steal Data

Once the malicious payload installs, it requests critical permissions while pretending to be a legitimate phone security feature.

The most important permission is Accessibility Services, which gives the malware extensive visibility into everything users do on their devices.

With this access, the RAT can monitor user activity, capture screenshots, record screens, and display fake login screens designed to steal financial credentials from services like Alipay and WeChat.

The malware also captures lock screen information and maintains constant communication with a remote command server using persistent connections.

This connection allows attackers to transmit stolen data and receive new commands in real time. Researchers discovered that attackers regenerate new versions of the malware approximately every fifteen minutes through server-side polymorphism.

Over twenty-nine days, the original repository accumulated more than six thousand commits.

Each new version introduces minor variations while maintaining identical malicious functionality, a technique specifically designed to evade security detection systems based on file hashes.

When the original TrustBastion repository disappeared in December 2025, attackers simply relaunched with a different app name called Premium Club, using the same underlying code to continue their campaign and avoid prolonged detection.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.