Bitdefender researchers have uncovered an Android remote access trojan campaign that highlights how legitimate developer platforms can be repurposed as part of large-scale mobile malware operations, with attackers abusing Hugging Face hosting to stage and distribute malicious payloads.
The campaign centres on an Android RAT delivered through a two-stage infection chain that combines social engineering, deceptive user interfaces and extensive abuse of Android accessibility services. What distinguishes the operation is its reliance on Hugging Face — a widely used platform for hosting machine learning models and datasets — as a trusted delivery mechanism for malware, allowing attackers to evade early detection and content filtering.
According to Bitdefender, the initial infection begins with a malicious application known as TrustBastion. Victims are typically lured through advertisements or warning prompts claiming their device is infected and urging them to install a free security application. At the time of investigation, the TrustBastion website promoted features such as scam SMS detection, phishing protection and malware removal.
In reality, the app functions as a dropper. While it contains no immediately malicious behaviour, it quickly presents users with a fake update prompt after installation. The dialog closely mimics legitimate Google Play or Android system update screens, increasing the likelihood that users will approve the next step.
Rather than directly downloading a second-stage payload from a suspicious domain, the dropper connects to an encrypted endpoint associated with trustbastion[.]com. The response is not an APK file, but a web page containing a redirect link that points to a Hugging Face repository. From there, the final malicious APK is downloaded directly from Hugging Face datasets, leveraging the platform’s trusted reputation to avoid raising network security alerts.
Bitdefender’s analysis of the Hugging Face repository revealed an unusually high level of activity. New payloads were generated approximately every 15 minutes, with more than 6,000 commits recorded over a 29-day period. Each upload represented a newly built APK containing the same core malicious functionality but with small variations designed to evade hash-based detection. When the original repository was taken offline, the operation resurfaced at a new location with minor cosmetic changes, while the underlying code remained largely unchanged.
Once installed, the second-stage payload aggressively abuses Android permissions. The malware masquerades as a system-level “Phone Security” component and guides users through enabling accessibility services, framing the request as a routine security or verification step. With accessibility access granted, the RAT gains broad visibility into user interactions across the device.
Additional permissions allow screen recording, screen casting and overlay display, giving the malware real-time insight into on-screen activity and the ability to manipulate what users see. This enables full remote surveillance and control, effectively turning compromised devices into live monitoring endpoints.
The RAT uses these capabilities to harvest sensitive information, including credentials entered into fake authentication screens designed to impersonate popular financial and payment platforms such as Alipay and WeChat. Lock screen information and authentication inputs can also be captured and exfiltrated.
Command-and-control communications are maintained through persistent keep-alive connections to a centralised server infrastructure. During the investigation, Bitdefender identified a C2 endpoint operating at IP address 154.198.48.57 over port 5000, associated with domains linked to trustbastion[.]com. The same infrastructure is used to deliver configuration updates, receive stolen data and provide payload redirection links pointing back to Hugging Face.
From a cyber risk perspective, the campaign underscores how attackers are increasingly exploiting trusted cloud and developer platforms as part of their delivery chain. While Hugging Face scans uploads with the open-source ClamAV engine, the scale and polymorphic nature of this operation demonstrate the limits of signature-based detection alone.
For security teams, the findings reinforce the importance of behavioural analysis on mobile devices, particularly around accessibility service abuse and unusual update workflows. As attackers continue to blend malicious activity with legitimate infrastructure, distinguishing between trusted platforms and trusted behaviour is becoming a critical challenge for mobile security and enterprise risk management.
