Security researchers have uncovered a new Android malware campaign capable of tracking nearly everything users do on their smartphones—including PIN entries, login credentials, and activity inside messaging or banking apps. The campaign stands out for using Hugging Face, a trusted developer platform, to distribute malicious components while avoiding detection.
Researchers at Bitdefender say the malware is spread through a fake security app called “TrustBastion.” Victims encounter ads or pop-ups claiming their devices are infected and are urged to install the app to remove supposed threats. While the application initially appears legitimate, it functions as a “dropper,” meaning it later downloads the real malicious payload.
After installation, the app presents a fake update prompt that closely resembles official Android or Google Play dialogs. If users accept, a manipulated APK file is downloaded in the background. Instead of suspicious underground servers, the download comes from Hugging Face—a reputable platform widely used by developers and AI researchers. Because connections to the service are generally considered safe, many security tools don’t flag the activity.
Once the secondary payload is installed, the malware requests extensive permissions while posing as a system component called “Phone Security.” It prompts users to enable Android accessibility features, which grant broad control over the device. With these permissions, the malware can read screen content, log keystrokes, and overlay fake login pages on top of real apps to capture sensitive data.
This access allows attackers to intercept information from payment apps, messengers, and banking services. Stolen data is transmitted to a command server, which can also send new instructions or updates to infected devices. According to Bitdefender, the attackers generate new variants roughly every 15 minutes using server-side polymorphism, making detection difficult. More than 6,000 variants were identified within a single month.
Security experts recommend installing apps only from the Google Play Store and avoiding downloads from external sources. Users should be cautious of apps claiming to offer security protection while requesting broad permissions. Enabling Google Play Protect and limiting accessibility permissions to trusted apps can help reduce risk. If a suspicious app has already been installed, it should be removed immediately and the device scanned—or reset to factory settings if necessary.