Bitdefender — Android dropper used Hugging Face datasets to deliver RAT payloads

2026-01-30 • Category: Security

• What happened: Bitdefender reports an Android malware campaign where a dropper app (“TrustBastion”) ultimately downloads a remote-access trojan payload from Hugging Face datasets.
• Two-stage chain: the initial app poses as a “security” tool, then immediately prompts a fake “mandatory update” flow designed to look like Google Play.
• Why Hugging Face: instead of hosting the APK on a sketchy domain, the dropper fetches a redirect that points at a Hugging Face dataset URL, letting attackers piggyback on trusted infrastructure/CDNs.
• Polymorphism at scale: Bitdefender says the dataset repo accumulated 6,000+ commits in ~29 days, with new payloads generated roughly every 15 minutes to evade hash-based detection.
• On-device capability: the payload abuses Android Accessibility Services to gain persistent control (overlays, screen capture, blocking uninstall attempts).
• Data theft focus: the campaign uses overlays impersonating financial services (e.g., Alipay/WeChat) to capture credentials and also attempts to steal the lock-screen PIN.
• Takedown & rebrand: Bitdefender notes the original repo was removed, but the operation resurfaced under a new name (“Premium Club”) with the same core code.

Why it matters

• “AI platforms” are becoming malware infrastructure: attackers are treating model/dataset hosting as generic file hosting because it’s high-trust and globally distributed.
• Security scanning mismatch: even if uploads are scanned (Hugging Face documents ClamAV scanning), APK polymorphism + social engineering can still win.
• Enterprise risk isn’t theoretical: employees sideloading “utility” apps on BYOD devices can become a path to account takeover, MFA fatigue, and downstream SaaS compromise.

What to do

1. Block sideloading on managed devices (MDM) and enforce “install from Play Store only” where possible.
2. Harden Android accessibility policy: monitor and restrict apps requesting Accessibility Services; treat that permission as high-risk.
3. Defensive validation (safe): on your fleet, query MDM/EDR telemetry for apps with unknown publishers that request Accessibility + overlay permissions, and investigate promptly.
4. Update your threat model: don’t assume “trusted domain” means “trusted file.” Add detections for downloads from high-trust platforms when the file type is executable (APK/EXE/DMG).

Sources

• Bitdefender (primary): Android Trojan Campaign Uses Hugging Face Hosting for RAT Payload Delivery
• BleepingComputer (secondary): Hugging Face abused to spread thousands of Android malware variants
• Hugging Face Hub security docs (background): Security and malware scanning