"The application, called TrustBastion, acts as a dropper and immediately after launch prompts the user to fetch an update, displaying legitimate-looking Google Play and Android system update dialogs. Once the user agrees, the dropper connects to an encrypted endpoint hosted at trustbastion[.]com, which serves an HTML page that points to a Hugging Face repository, and then downloads a malicious payload from the online platform's datasets."
"After installation, the malicious payload requested broad permissions, pretending to be a security feature, and guided the user to enable Accessibility Services to monitor their actions. It also requested permissions to record the screen, perform screen casting, and display overlays, enabling it to observe, capture, and modify on-screen content in real time. Once permissions are enabled, the malware can control infected devices and exfiltrate screen content to the command-and-control (C&C) server."
A dropper Android application named TrustBastion prompts users to install an update by displaying authentic-looking Google Play and Android system dialogs. Once accepted, the dropper connects to an encrypted endpoint at trustbastion[.]com, which serves an HTML page pointing to a Hugging Face repository and instructs the device to download a malicious payload from the platform's datasets. The repository was roughly one month old when taken offline and contained over 6,000 commits, with new payloads generated about every 15 minutes. After installation, the payload requests wide-ranging permissions, enables Accessibility Services, records and casts screens, displays overlays, controls devices, exfiltrates screen content, and displays fake authentication interfaces to harvest credentials by impersonating financial and payment services.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]