Hackers are reportedly using the popular Hugging Face AI platform to release Android malware that can take over your device. The malware is delivered via a fake app.
For the unfamiliar, Hugging Face is an open platform that hosts AI tools and machine learning bots. Users and creators can distribute and download AL, NLP and ML models. Unfortunately, sometimes it can be used to release bad models as well.
Researchers at the cybersecurity firm Bitdefender found that this new malware first appeared in an app called TrustBastion. Hugging Face “doesn’t seem to have meaningful filters that govern what people can upload,” the researchers said.
What this malware does
Bitdefender says TrustBastion connects to a third-party server, which then redirects to a Hugging Face repository with 6,000 commits. Despite being reported, Bitdefender says a new repository almost immediately appeared with a new name and icons, but the same malicious code.
This Trojan malware is quite powerful. According to Bitdefender, it can take screenshots, display fake login interfaces for financial serives and capture your lock screen pin. That information is then sent to a third-party server.
How to stay safe
The simplest thing you can do is download Android apps only from reputable sources with some form of moderation and security filtering, such as the Google Play Store or the Samsung Galaxy Store. Even in those places, be sure to scour the reviews and note the overall downloads and rating.
Avoid sideloading APKs outside of the store. If you are triple-checking that the publisher and URL are correct before you download. Be wary of any apps that ask for accessibility permissions.
You should periodically scan your Android device with Play Protect and bolster your security with some of the best Android antivirus apps.
Follow Tom’s Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
