Hackers Weaponize Trusted AI Platform to Spread Android Banking Malware

Malicious APKs Hosted on Hugging Face Used to Steal Financial Credentials

Cybersecurity researchers have uncovered a new Android malware campaign abusing the trusted AI platform Hugging Face to distribute thousands of malicious APK variants designed to steal credentials from popular financial and payment services.

The campaign leverages the platform’s reputation and global content delivery infrastructure to evade detection, allowing attackers to deliver malware without triggering common security warnings.

How the Attack Works

The infection chain begins with a malicious Android dropper application named TrustBastion, promoted through scareware-style advertisements. These ads falsely warn users that their devices are infected with malware, phishing threats, or fraudulent SMS messages.

Once installed, TrustBastion immediately displays a mandatory update prompt that visually imitates Google Play, increasing the likelihood that victims proceed without suspicion.

Instead of hosting malware directly, the app contacts a backend server associated with its infrastructure, which then redirects victims to a Hugging Face dataset repository. From there, the final malicious APK payload is downloaded via Hugging Face’s CDN.

Advanced Evasion Techniques

To avoid detection and takedowns, the threat actors implemented server-side polymorphism, generating a new malware variant every 15 minutes. During investigation, researchers observed:

• Over 6,000 commits in a single repository
• Continuous payload mutation to bypass signature-based defenses
• Rapid reappearance under a new operation name, “Premium Club,” after takedown

Despite changes in branding and icons, the malicious codebase remained largely unchanged.

Capabilities of the Malware

The final payload operates as a remote access trojan (RAT) that aggressively abuses Android’s Accessibility Services, misleading users into granting elevated permissions under the guise of security protection.

Once active, the malware can:

• Capture screenshots continuously
• Display phishing overlays mimicking financial apps
• Intercept credentials for services like Alipay and WeChat
• Steal device unlock PINs
• Block uninstallation attempts
• Maintain persistent communication with its command-and-control (C2) server

All harvested data is exfiltrated in real time, while attackers can remotely push commands and fake content to maintain the illusion of legitimacy.

Why This Campaign Is Dangerous

This operation highlights a growing trend where attackers abuse high-trust platforms rather than traditional malicious infrastructure. By hosting payloads on a legitimate AI ecosystem, the campaign significantly reduces user suspicion and bypasses many automated security controls.

It also demonstrates how AI and ML platforms are becoming part of the modern malware delivery chain, expanding the attack surface beyond app stores and websites.

Defensive Recommendations

Android users and organizations should:

• Avoid installing apps from third-party sources or unknown links
• Scrutinize apps requesting Accessibility Services access
• Treat scareware-style security alerts as high risk
• Ensure mobile threat detection solutions are enabled
• Keep devices and applications fully updated