A new Android remote access trojan (RAT) uses popular AI platform Hugging Face to host and distribute malicious payloads, Bitdefender has revealed.
The security vendor claimed that Hugging Face – which is designed to host AI tools, models datasets and other assets – did not conduct sufficient checks to vet the content that users upload.
All uploads are meant to be scanned with open source antivirus engine ClamAV.
According to Bitdefender, the infection chain begins when users download malicious Android app dubbed TrustBastion. This appears to be scareware which is forced on users via popups claiming their device is infected with malware.
In reality, the app is a dropper which, on installation, immediately prompts the user to run an update in order to use it. This update is designed to look like legitimate Google Play and Android system update dialog boxes, increasing the chances of victims following the instructions.
Read more on Hugging Face threats: Malicious AI Models on Hugging Face Exploit Novel Attack Technique.
The dropper then contacts an encrypted endpoint hosted at trustbastion[.]com, which returns not a malicious APK file but an HTML file. This contains a redirect link which points to the Hugging Face repository hosting the malware.
This in turn downloads the malicious APK to the victim’s device. Using Hugging Face in this way helps those behind the malware campaign avoid setting off any alarms on the victim’s device.
“Typically, traffic from low-trust domains gets flagged immediately, which is why attackers often will try to use well-established domains that don’t raise suspicions,” Bitdefender said.
An Automated and Persistent Campaign
Bitdefender said it contacted Hugging Face before publishing the research and they quickly took down the datasets containing malware. However, the campaign itself already appears to have infected thousands of victims.
“Analysis of the Hugging Face repository revealed a high volume of commits over a short period of time,” said Bitfdefender. “New payloads were generated roughly every 15 minutes. At the time of investigation, the repository was approximately 29 days old and had accumulated more than 6000 commits.”
It also appears to be persistent: although one repository went offline, the whole operation simply moved to another redirect link, “with the project using different icons and some minor adjustments,” but the same code.
To increase their chances of success further, the threat actors behind the campaign are using polymorphic techniques.
“Each new file upload is actually a newly built APK that has the same malicious functionality while introducing minor variations,” Bitdefender explained. “They are intended to evade hash-based detection.”
However, the fact that the various payloads share common behavioral traits, permission requests and communication patterns, makes them easier to detect using behavioral analysis techniques, the report noted.
Once the payload is installed, the malware masquerades as a “Phone Security” feature and guides users through the process of enabling Accessibility Services, which in fact gives the RAT “broad visibility into user interactions across the device,” said Bitdefender.
It also requests permissions enabling screen recording, screen casting and overlay display – monitoring all user activity, capturing screen content and sending it to a command-and-control server.
The malware also impersonates popular financial and payment services like Alipay and WeChat, in order to harvest sensitive credentials.
It can even capture lockscreen information for these apps’ security verification.
