Security researchers have discovered new Android malware that allows attackers to track almost every action taken on a smartphone. Among other details, this includes PIN entries, login credentials, and content within messaging and banking apps.
What makes this particularly insidious is that the malware uses Hugging Face—a reputable developer platform—to spread inconspicuously.
Malware that pretends to be a security app
This malware campaign was discovered by researchers at security company Bitdefender. At the heart of this campaign is an Android app called “TrustBastion,” which masquerades as a security solution.
Victims of the attack are confronted with advertisements and/or pop-ups claiming that their smartphone is infected. In order to remove alleged threats—including phishing attempts, scam texts, and other malware—they’re instructed to install the app.
The application appears harmless at first glance. In fact, however, it’s a so-called “dropper,” which means the app itself doesn’t initially contain any malicious functions but downloads them later.
A fake update downloads malware
Immediately after installation, TrustBastion displays a supposedly necessary update. The window is visually similar to official Android or Google Play dialogs, and anyone who agrees to the update ends up downloading a manipulated APK file in the background.
The APK download doesn’t take place via underground servers but rather via Hugging Face. The platform is widely used in the developer and AI community and has a good reputation, which is exactly what the attackers exploit: connections to Hugging Face aren’t classified as suspicious by many security solutions.
Accessibility abuse as a gateway
After installation, the actual malware requests extensive permissions. It pretends to be a system component called “Phone Security” and prompts users to activate Android accessibility features.
These access rights are particularly critical. They allow an app to read screen content, log inputs, and overlay other applications. This means the malware can start capturing every PIN entry and/or unlock pattern, plus overlay fake login interfaces on top of genuine apps.
This access allows data for payment services, messengers, and other sensitive apps to be intercepted. The captured information is then transmitted to a central control server belonging to the attackers. From there, new commands or updates can also be sent to infected devices.
New variants make detection difficult
According to Bitdefender, the attackers rely on so-called server-side polymorphism to evade detection—in short, new versions of the malware are generated approximately every 15 minutes. Each slightly modified APK file has the same functionality with negligible tweaks.
Within one month, the researchers counted more than 6,000 different variants. The aim is to circumvent classic signature-based virus scanners. The campaign also changed names and icons several times after individual software packages were removed.
What should you do now?
Android users should only install apps from the Google Play Store and not allow apps from external sources. You should be particularly cautious with apps that claim to be security or protection software while also requiring extensive system permissions. Make sure to activate Google Play Protect for maximum security against threats.
You should also be wary when downloading apps and files from well-known platforms. A reputable infrastructure doesn’t guarantee that provided files are safe or clean. Only activate accessibility features if you clearly understand the purpose of the app asking.
If you’ve installed a suspicious app, you should remove it immediately and scan your device for malware. When in doubt, you may also want to reset your device to factory settings.
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.