Hugging Face platform hijacked to send out Android malware - here's what we know so far

• Hackers used Hugging Face to deliver Android malware via fake antivirus app TrustBastion
• Malware steals screenshots, lock codes, and payment logins, exfiltrating data to attacker servers
• Campaign persisted with new repositories despite takedown, highlighting risks of unverified app source

Hackers are abusing the Hugging Face platform to deliver Android malware which can entirely take over compromised endpoints, experts have warned.

Hugging Face is an open platform for AI tools and machine learning, where users can host and distribute AL, NLP, or ML models - but it seems it also sometimes used as a launchpad for poisoned models too.

In this case, the crooks used it to deliver Android malware, cybersecurity researchers at Bitdefender noted, starting with a dropper app called TrustBastion.