Researchers Uncover Android RAT Campaign Abusing Hugging Face Infrastructure to Deliver Rapidly Evolving Malware

CyberDefender 12 mins0

Security researchers have uncovered a large-scale Android remote access trojan (RAT) campaign that blends classic social engineering techniques with an unconventional hosting strategy and aggressive abuse of Android’s Accessibility Services. The operation stands out not just for its technical sophistication, but for its use of the popular machine learning platform Hugging Face as a staging and distribution point for malicious payloads.

At its core, the campaign relies on deception, trusted infrastructure, and automation. Victims are tricked into installing what appears to be a legitimate security app, while the real malware is quietly fetched from a platform developers normally associate with open-source collaboration and research.

Source :bitdefender

Why Hugging Face Matters in This Campaign

Hugging Face is widely known as a hub for hosting machine learning models, datasets, and development tools. Its strong reputation and massive user base make it an attractive target for abuse. While the platform states that uploads are scanned using ClamAV, an open-source antivirus engine, that level of filtering appears insufficient to stop determined attackers.

By hosting Android malware inside Hugging Face datasets, the attackers benefit from:

  • A highly trusted domain that rarely triggers security alarms
  • Reliable, globally distributed content delivery
  • An environment where frequent uploads do not automatically raise suspicion

This combination allows malicious APKs to blend in with legitimate content until they are actively analyzed.

Key Findings at a Glance

  • The malware uses a two-stage infection chain, starting with a dropper app and followed by a full-featured RAT.
  • Hugging Face datasets are abused to host and distribute malicious APK files.
  • Attackers deploy server-side polymorphism, generating a new payload roughly every 15 minutes.
  • The Trojan abuses Accessibility Services to gain persistent control and visibility.
  • Fake system and financial interfaces are used to steal credentials and lock-screen data.
  • A centralized command-and-control (C2) server coordinates payload delivery and data exfiltration.

Initial Infection: Dropper Distribution and Fake Alerts

The infection chain begins with a malicious Android application named TrustBastion. Victims are typically lured through advertisements or pop-up warnings claiming their device is infected. These messages urge users to install a free “security platform” supposedly capable of detecting scams, phishing attempts, malicious SMS messages, and malware.

When the associated website (trustbastion[.]com) was still active, it presented TrustBastion as a comprehensive mobile protection solution.

In reality, the app functions as a dropper. At first glance, it contains no overtly malicious behavior. However, immediately after installation, the app displays a warning stating that a mandatory update is required to continue. The dialog closely mimics legitimate Google Play and Android system update prompts, significantly increasing the likelihood that users will comply.

Payload Retrieval via Legitimate Infrastructure

Rather than directly downloading malware from a suspicious server, the dropper contacts an encrypted endpoint hosted on trustbastion[.]com. The server does not immediately deliver an APK. Instead, it responds with a small HTML page containing a redirect link.

That link points to a Hugging Face dataset hosting the real payload.

Captured network traffic shows the final APK being downloaded directly from huggingface[.]co and then redirected through Hugging Face’s content delivery network. From a network monitoring perspective, this looks like normal traffic to a well-known, reputable service—exactly what the attackers intended.

Automated Payload Generation and Polymorphism

Analysis of the Hugging Face repository revealed an unusually high volume of commits. New payloads were generated approximately every 15 minutes. Over a lifespan of roughly 29 days, the repository accumulated more than 6,000 commits.

Each upload was a newly built APK with identical malicious capabilities but slight internal variations. These changes are designed to defeat hash-based detection methods.

Although the original repository was eventually taken offline, the operation simply migrated to a new location with different branding and icons. The underlying codebase remained effectively unchanged.

Despite this polymorphism, the malware exhibits consistent behavior patterns, permission requests, and communication logic. Behavioral detection systems, such as those used by Bitdefender Mobile Security for Android, are therefore able to identify the threat by observing what the app does rather than relying solely on file signatures.

Second-Stage Payload and Permission Abuse

Once installed, the second-stage payload presents itself as a legitimate “Phone Security” component. It guides the user through enabling Accessibility Services, framing the request as a required security or verification step.

The malware’s interface is carefully designed to normalize this request, making it appear routine and harmless. Once granted, Accessibility Services give the RAT deep insight into user interactions across the entire device.

Beyond accessibility access, the malware also requests:

  • Screen recording permissions
  • Screen casting capabilities
  • Overlay display privileges

Together, these permissions allow the attacker to observe, capture, and manipulate on-screen activity in real time.

Surveillance and Credential Theft

With elevated privileges in place, the RAT operates as a fully featured remote surveillance tool. It continuously monitors user activity and captures screen content, which is then exfiltrated to the command-and-control server.

The malware also displays convincing fake authentication screens designed to steal sensitive credentials. These interfaces impersonate popular financial and payment platforms, including Alipay and WeChat.

In addition to financial credentials, the spyware is capable of capturing lock-screen data and authentication inputs, further increasing the risk of account takeover and identity theft.

Command-and-Control Infrastructure

The RAT maintains persistent communication with its C2 server using keep-alive connections. During the investigation, researchers identified a primary C2 endpoint at IP address 154.198.48.57, communicating over port 5000, with infrastructure linked to trustbastion[.]com.

This server serves multiple roles:

  • Receiving commands from the attackers
  • Exfiltrating stolen data
  • Delivering updated configuration files
  • Providing redirect links to Hugging Face-hosted payloads

The same infrastructure is also used to load web views inside the app, helping it mimic legitimate functionality and avoid suspicion.

Same Code, Different App Names

The repository hosting the original TrustBastion dropper remained online for more than a month before disappearing in late December 2025. Shortly afterward, a new repository surfaced, this time hosting an Android app called Premium Club.

Despite the new name and visual changes, analysis confirmed that the underlying code was the same. This rebranding strategy allows attackers to reset reputation-based detection systems and continue operations with minimal effort.

Indicators of Compromise

Before publishing their findings, researchers notified Hugging Face, which promptly removed the malicious datasets.

Common indicators observed during the investigation include:

Package names

  • rgp.lergld.vhrthg
  • com.nrb.phayrucq

Dropper hashes

  • d184d705189e42b54c6243a55d6c9502
  • d8b0fd515d860be2969cf441ea3b620d
  • b716a8a742fec3084b0f497abbfecfc0
  • 15bdc66aca9fb7290165d460e6a993a9
  • fc874c42ea76dd5f867649cbdf81e39b

Network indicators

  • IP address: 154.198.48[.]57
  • Domains: trustbastion[.]com, au-club[.]top
  • Additional IP: 108.187.7.133

This campaign highlights how trusted platforms can be weaponized when security controls fail to account for abuse at scale. By combining social engineering, legitimate infrastructure, and aggressive permission abuse, the attackers created a highly resilient Android threat that could easily bypass traditional defenses.

The case also reinforces a critical lesson for mobile security: how an app behaves on a device is often far more important than where it comes from or what its file hash looks like.

CyberDefender