Hugging Face Abused to Spread Thousands of Android Malware Variants

Hugging Face has become a cornerstone for AI researchers, offering a centralized marketplace for models, datasets, and code. Its reputation for hosting vetted machine‑learning artifacts makes it an unlikely source of malicious activity, which in turn shields uploads from conventional security warnings. Yet the platform’s open‑submission model and robust content‑delivery network have attracted threat actors seeking a trusted conduit for malware. Earlier incidents showed malicious AI models slipping through, and the latest campaign escalates the risk by leveraging the same infrastructure to distribute Android payloads at scale.

The infection chain starts with a scare‑ware app named TrustBastion, which pretends to be a security scanner and pushes a fake Google Play update prompt. Once installed, the dropper contacts a command server that redirects the device to a Hugging Face dataset repository, where a new APK is fetched from the platform’s CDN. Bitdefender observed more than 6,000 commits over a 29‑day window, with server‑side polymorphism generating a fresh variant every fifteen minutes. The downloaded RAT hijacks Android’s Accessibility Services, enabling screen overlays, credential‑phishing pages for Alipay and WeChat, and lock‑screen code theft.

The abuse underscores a growing supply‑chain threat where trusted developer hubs become inadvertent malware distributors. Security teams must extend monitoring beyond traditional app stores to include AI model repositories and their CDN endpoints, employing hash‑based detection and behavioral analytics to spot rapidly changing payloads. Collaboration between platform operators and incident‑response firms, as demonstrated by Bitdefender’s notification to Hugging Face, is essential for swift takedowns. For end users, the safest practice remains installing applications exclusively from official stores and scrutinizing permission requests, especially those that invoke Accessibility Services.