URL has been copied successfully!
Hugging Face infra abused to spread Android RAT in a large-scale malware campaign
URL has been copied successfully!

Collecting Cyber-News from over 60 sources

Hugging Face infra abused to spread Android RAT in a large-scale malware campaign


Tags: , , , , , , , , , ,

Abuse through smart hosting: Hugging Face is a go-to platform for developers hosting machine learning models, datasets, and tooling. According to Bitdefender, the resource is now being leveraged to mask malicious downloads amidst legitimate activity. While the platform uses ClamAV scanning on uploads, these controls currently fall short of filtering out cleverly disguised malware repositories, the researchers noted.”Analysis of the Hugging Face repository revealed a high volume of commits over a short period of time,” the researchers said. “New payloads were generated roughly every 15 minutes. At the time of investigation, the repository was approximately 29 days old and had accumulated more than 6,000 commits.”The repository was eventually taken offline, but the operation resurfaced elsewhere with minor cosmetic changes, while the underlying code remained unchanged.

Installation, permissions, and persistent RAT: Once the second-stage payload installs, the application poses as a system component for a “Phone Security” feature and guides the user through enabling highly sensitive Android permissions.Among the requested permissions are Accessibility Services, screen recording, screen casting, and overlay display rights. Together, these give the malware extensive visibility into user interaction and the ability to capture on-screen content across apps.The researchers said these capabilities can be used to monitor and record user activity in real time, display fake authentication interfaces mimicking popular financial platforms (like Alipay and WeChat) to harvest credentials, capture lock screen patterns and biometric inputs, and exfiltrate harvested data back to an actor-controlled command and control (C2) server.Bitdefender said it contacted Hugging Face before publishing the disclosure, and the latter quickly took down the datasets containing malware. Hugging Face did not immediately respond to CSO’s request for comments.For additional support, Bitdefender has shared a list of indicators of compromise (IoCs), including dropper hashes, IPs, domains, and package names.

First seen on csoonline.com

Jump to article: www.csoonline.com/article/4124958/hugging-face-infra-abused-to-spread-android-rat-in-a-large-scale-malware-campaign.html

Loading

Share via Email
Share on Facebook
Tweet on X (Twitter)
Share on Whatsapp
Share on LinkedIn
Share on Xing
Copy link

also interesting:

  1. Cybersecurity Snapshot: Global Agencies Target Criminal “Bulletproof” Hosts, as CSA Unveils Agentic AI Risk Framework
  2. Cybersecurity Snapshot: Global Agencies Target Criminal “Bulletproof” Hosts, as CSA Unveils Agentic AI Risk Framework
  3. Cybersecurity Snapshot: CISA Highlights Vulnerability Management Importance in Breach Analysis, as Orgs Are Urged To Patch Cisco Zero-Days
  4. Cybersecurity Snapshot: Top Advice for Detecting and Preventing AI Attacks, and for Securing AI Systems