TrustBastion

TrustBastion is an Android malware family/campaign name primarily used for a malicious app masquerading as a mobile security or antivirus tool. In the reported activity, TrustBastion functions as the first-stage dropper in a two-stage infection chain and is also described in some reporting as the primary Android RAT/spyware payload associated with the campaign. Victims are lured via scareware-style ads, fake security alerts, phishing messages, or compromised websites into sideloading the APK outside Google Play. The app claims to provide virus protection, phishing defense, scam and fraudulent SMS detection, and malware blocking. After installation, it displays a fake Google Play/Android-style update prompt; accepting the update causes the app to contact infrastructure associated with trustbastion[.]com and retrieve a redirect to a Hugging Face repository or dataset hosting the second-stage malicious APK, which is then delivered via Hugging Face infrastructure/CDN. The operators used server-side polymorphism, generating new payload variants roughly every 15 minutes and producing more than 6,000 unique Android files/commits in less than a month to evade hash-based detection. Once active, the malware abuses Android Accessibility Services and requests additional high-risk permissions including overlay, screen capture, screen recording/casting, and related controls. Reported capabilities include monitoring user activity, capturing screenshots and screen recordings, automating UI interactions, displaying fraudulent login overlays, stealing credentials, capturing lock-screen PIN/pattern information, blocking uninstallation attempts, and maintaining persistent communication with a centralized C2 for commands, exfiltration, and configuration updates. Financial credential theft was specifically reported through fake interfaces impersonating Alipay and WeChat, and some reporting also notes fake banking login overlays. Observed infrastructure and IOCs directly mentioned in the content include trustbastion[.]com, an encrypted endpoint such as /xiazz.html, a Hugging Face payload URL at huggingface[.]co/datasets/xcvqsccm/sfxyt851/resolve/main/b.apk?download=true, CDN delivery via cdn-lfs-us-1.hf[.]co, C2 IP 154.198.48.57:5000, package name rgp.lergld.vhrthg, dropper hashes d184d705189e42b54c6243a55d6c9502, d8b0fd515d860be2969cf441ea3b620d, b716a8a742fec3084b0f497abbfecfc0, 15bdc66aca9fb7290165d460e6a993a9, and in a later wave dropper hash fc874c42ea76dd5f867649cbdf81e39b, payload package com.nrb.phayrucq, C2 domain au-club[.]top, and C2 IP 108.187.7.133. The campaign was reported by Bitdefender, observed primarily against Android users in the Asia-Pacific region, and later resurfaced under the name Premium Club while retaining the same underlying code and tactics. No definitive attribution to a known APT group is provided in the content.