Bitdefender — Hugging Face abused to distribute polymorphic Android RAT payloads

2026-01-30 • Category: Security

• What happened: Bitdefender described an Android campaign where a dropper app ultimately downloads its malware payload from Hugging Face dataset repositories (via redirects), leveraging the platform’s reputation and CDN delivery.
• Initial lure: victims are pushed to install a “security” app (reported as TrustBastion) using scareware-style prompts.
• Delivery trick: instead of hosting malware directly, the dropper points to infrastructure that redirects to Hugging Face, shifting the “download origin” to a trusted domain.
• Polymorphism: Bitdefender reports server-side generation of new payload variants every ~15 minutes, likely to stay ahead of static signatures and URL-based blocks.
• Capabilities: the payload is described as a RAT abusing Android Accessibility Services to drive overlays, capture screens, resist removal, and steal credentials (including via fake banking/payment login UIs).
• Response: per reporting, the malicious Hugging Face repos were removed after notification, but the operation reportedly re-appeared under a new name.

Why it matters

• “Trusted” developer platforms are now part of the attack chain: defenders can’t rely on domain reputation alone when attackers can continuously spin up new repos and payloads.
• Fast polymorphism breaks brittle controls: if your mobile defenses depend heavily on hashes/IOCs, frequent payload churn can create detection gaps.
• Dataset/model hosting is a new supply-chain surface: security teams should treat ML artifact repositories as first-class egress/delivery risks (similar to paste sites, code hosting, and file sharing).

What to do

1. Mobile policy: block sideloading where you can (MDM), and educate users that “security” apps pushed via ads are a common lure.
2. Telemetry: watch for devices repeatedly reaching Hugging Face datasets from non-browser contexts, especially shortly after installing unknown apps.
3. Android hardening: audit which apps have Accessibility permissions; remove anything suspicious and prefer allowlists for enterprise devices.
4. IOC-driven response (defensive): use Bitdefender’s published IOCs as enrichment signals, but assume payload hashes will rotate quickly.

Sources

• Bitdefender: Android trojan campaign: Hugging Face hosting RAT payload
• BleepingComputer: Hugging Face abused to spread thousands of Android malware variants
• Hugging Face docs: Documentation (for platform context)