Keypoints
- Hugging Face datasets were used to host and deliver a malicious Android payload.
- The fake security app TrustBastion functions as a dropper and prompts users to install updates via convincing Google Play and system dialogs.
- The dropper connects to trustbastion[.]com which points to a Hugging Face repository that served frequently generated payloads.
- The malware requests Accessibility, screen recording, casting, and overlay permissions to monitor, capture, and control infected devices.
- Operators maintain C&C infrastructure to exfiltrate data, display fraudulent login screens for services like Alipay and WeChat, update configurations, and redirect payloads (repositories later reappeared as projects like Premium Club).
Read More: https://www.securityweek.com/hugging-face-abused-to-deploy-android-rat/