New Android malware campaign hosted on Hugging Face
A new Android malware campaign has been spotted hosting more than 6,000 commits and APK payload variants on Hugging Face over roughly 29 days.
The hackers tried to blend in with legit AI traffic so they could slip past security checks and steal people's info, according to Bitdefender.
How the malware works
It all starts with pop-up ads warning your device is infected. These push you to download a "TrustBastion" app from a sketchy website.
Once installed, it fakes a Google Play update and secretly downloads the real malware from Hugging Face's servers.
What it can do
This RAT (remote access trojan) grabs special permissions like screen recording and Accessibility Services.
That means it can watch what you do, show fake payment login screens, grab your PINs and passwords—even block you from deleting it or send your data straight to hackers.
How to stay safe
Hugging Face quickly took down the bad files after getting notified, and Google Play Protect is now blocking known versions of the malware.
To stay safe: avoid downloading apps outside official stores and always double-check app permissions before installing anything new.