Bitdefender researchers have discovered an Android RAT (remote access trojan) campaign that combines social engineering, the resources of the Hugging Face online platform as staging, and extensive use of Accessibility Services to compromise devices.
What makes this campaign particularly interesting is the attackers’ use of Hugging Face to host malicious payloads, and the scale at which new samples are deployed.
Hugging Face is a widely used online hosting service that provides a home to machine learning models and gives users a place to host their open-source models, datasets, and other development tools that researchers and developers usually need.
Unfortunately, the space Hugging Face offers can also be used by cybercriminals for malicious purposes as the platform doesn’t seem to have meaningful filters that govern what people can upload. They say all uploads are scanned with ClamAV, which is an open-source antivirus engine.
Key Findings
- The RAT uses a two-step infection chain that starts with a dropper and is followed by a malicious payload.
- The Hugging Face online service is abused to host and distribute dangerous APKs.
- The attackers use server-side polymorphism by producing new payloads roughly every 15 minutes.
- The Trojan abuses Accessibility Services to obtain persistent visibility and control.
- Attackers use fake system and financial interfaces to steal credentials and lock screen information.
- A centralized command-and-control server (C2) coordinates payload delivery and data exfiltration.
Initial infection: dropper distribution and deceptive update prompts
The infection chain begins when users download a malicious Android application called TrustBastion. In the most likely scenario, a user encounters an advertisement or similar prompt claiming the phone is infected and urging the installation of a security platform, often presented as free and packed with “useful” features.
When its website was online (trustbastion[.]com), it promised to detect scams and fraudulent SMSes, phishing, malware and much more.
The app is actually a dropper and contains no dangerous functionality at first glance.
Once the user manually installs the app, the dropper immediately displays a prompt warning users that an update is required to continue using the application.
The visual elements resemble legitimate Google Play and Android system update dialogs, which increases the chances that victims will comply.
Read the full article here
_______
If this information is helpful to you, read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query.
Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.
Follow us to learn more
CONTACT US
Let’s walk through the journey of digital transformation together.
