Android RAT Uses Hugging Face to Host Malware

A new Android remote access trojan (RAT) uses the popular AI platform Hugging Face to host and distribute malicious payloads, Bitdefender has revealed.

The dropper contacts an encrypted endpoint hosted at trustbastion[.]com, which returns not a malicious APK file but an HTML file. This contains a redirect link pointing to the Hugging Face repository hosting the malware, which downloads the malicious APK to the victim’s device. Using Hugging Face this way helps those behind the malware campaign avoid setting off alarms on the victim’s device.

“Analysis of the Hugging Face repository revealed a high volume of commits over a short period of time,” said Bitdefender. “New payloads were generated roughly every 15 minutes. At the time of investigation, the repository was approximately 29 days old and had accumulated more than 6000 commits.” It also appears to be persistent: although one repository went offline, the operation simply moved to another redirect link, “with the project using different icons and some minor adjustments,” but the same code. To increase their chances of success further, the threat actors behind the campaign are using polymorphic techniques.

Once the payload is installed, the malware masquerades as a “Phone Security” feature and guides users through the process of enabling Accessibility Services, which gives the RAT “broad visibility into user interactions across the device,” said Bitdefender. It also requests permissions enabling screen recording, screen casting, and overlay display – monitoring all user activity, capturing screen content, and sending it to a command-and-control server. The malware impersonates popular financial and payment services like Alipay and WeChat in order to harvest sensitive credentials. It can even capture lock screen information for these apps’ security verification.

To read the complete article see: Infosecurity Magazine