- Hackers used Hugging Face to deliver Android malware via fake antivirus app TrustBastion
- Malware steals screenshots, lock codes, and payment logins, exfiltrating data to attacker servers
- Campaign persisted with new repositories despite takedown, highlighting risks of unverified app source
Hackers are abusing the Hugging Face platform to deliver Android malware which can entirely take over compromised endpoints, experts have warned.
Hugging Face is an open platform for AI tools and machine learning, where users can host and distribute AL, NLP, or ML models – but it seems it also sometimes used as a launchpad for poisoned models too.
In this case, the crooks used it to deliver Android malware, cybersecurity researchers at Bitdefender noted, starting with a dropper app called TrustBastion.
Thousands of commits
This app acts like an Android antivirus solution – it offers virus protection, defense against phishing, malware, and fraudulent SMS messages. However, TrustBastion engages in scareware – as soon as the victim installs it, it says the device is infected with malware. Then, it demands the user update the app, which is when the malicious code is actually installed.
To deliver the malware, TrustBastion connects to a third-party server, which redirects to a Hugging Face repository where the malicious APK is hosted. From there, the malware is downloaded and delivered via Hugging Face’s CDN.
While these types of campaigns are rather common, unfortunately this one was also successful. In less than a month of activity, it accumulated more than 6,000 commits, Bitdefender said. To make matters worse, as soon as the campaign was spotted and terminated, a new repository popped up, named ‘Premium Club’, using new icons, but retaining the same malicious code.
The malware itself is rather powerful. It can grab screenshots, display fake login interfaces for popular payment services, and steal the lock screen code. Everything is then exfiltrated to a third-party server.
The best way to defend against this type of malware is to only download Android apps from reputable sources, such as the Google Play Store, or the Galaxy Store. Also, make sure to read through the reviews, and be mindful of the number of downloads and overall rating.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/BiyAK4BXKKfecCWadFcHGo-2560-80.jpg
Source link
