"Researchers at Bitdefender have uncovered a large-scale Android campaign in which a remote access trojan is being distributed via Hugging Face's infrastructure. The attackers combine social engineering with the abuse of legitimate cloud hosting to distribute malicious APK files. In doing so, they make intensive use of Android Accessibility Services to gain in-depth control over infected devices. The infection chain starts with a seemingly innocent Android app called TrustBastion. Advertisements and alarming notifications convince users that their devices are infected"
"Immediately after installation, the user is prompted to install a mandatory update. The accompanying screen closely mimics the appearance of Google Play and Android system updates, which increases its credibility. When the user agrees, the app contacts a server that does not deliver malware and instead redirects to a dataset repository on Hugging Face. From there, the final malicious APK is downloaded via the platform's infrastructure and CDN."
"According to Bitdefender, this approach was deliberately chosen to avoid detection. Traffic from well-known and widely used platforms is less likely to be blocked than downloads from suspicious domains. Analysis of the repository used shows that the attackers are applying server-side polymorphism on a large scale. New payload variants were generated approximately every fifteen minutes, resulting in more than 6,000 different APK files in less than a month. Each variant contains the same functionality, but minor technical changes are designed to circumvent hash-based detection."
A large-scale Android campaign distributes a remote access trojan via Hugging Face infrastructure. Attackers use social engineering and legitimate cloud hosting to push malicious APKs. The infection begins with a fake app named TrustBastion that poses as a free security solution but acts as a dropper. Users are coerced by alerts to install a required update that mimics Google Play and system update screens. The dropper redirects to a Hugging Face dataset repository where the final APK is served via the platform's CDN. Attackers employ server-side polymorphism, generating thousands of APK variants to bypass hash-based detection. The malware leverages Android Accessibility Services to gain deep device control.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]