Android Malware and Spyware Campaigns Using Trusted Platforms and Social Engineering Lures
Two separate Android-focused threat operations were reported, both relying on social engineering to drive manual installation of malicious apps. Bitdefender documented a campaign that abuses Hugging Face as a trusted hosting/CDN distribution point for an Android credential-stealing payload targeting popular financial and payment services. Victims are lured into installing a dropper app named TrustBastion via scareware-style ads; after installation it displays a fake Google Play “mandatory update” flow, then contacts infrastructure associated with trustbastion[.]com which redirects to a Hugging Face dataset repository hosting the final APK. The actor used server-side polymorphism to generate new payload variants roughly every 15 minutes, resulting in thousands of variants and rapid repository churn (reported as >6,000 commits over ~29 days); after takedown, the operation reportedly resurfaced under a new name (“Premium Club”) with refreshed branding.
ESET separately identified an Android spyware campaign tracked as GhostChat that uses romance-scam tactics to target individuals in Pakistan. The malicious app is disguised as a chat/dating service but primarily functions as a surveillance tool; it presents “locked” female profiles with passcodes (hardcoded in the app) to create a sense of exclusivity, then routes victims into WhatsApp chats tied to Pakistani numbers likely controlled by the operator. The app was distributed via unofficial sources (not Google Play) and is blocked by Google Play Protect by default; ESET also linked the same actor to a broader surveillance effort including a ClickFix compromise chain and a WhatsApp device-linking attack, using websites impersonating Pakistani government organizations as lures.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Hugging Face removes malicious Android malware datasets
After being notified by Bitdefender, Hugging Face removed the malicious datasets used by the TrustBastion/Premium Club Android malware campaign. Despite the takedown, researchers said the operators continued attempting to re-establish their hosting infrastructure.
Bitdefender discloses Hugging Face-hosted Android RAT campaign
Bitdefender reported a large-scale Android malware campaign abusing Hugging Face as a trusted hosting platform to distribute polymorphic RAT payloads aimed at stealing credentials, especially in the Asia-Pacific region. The malware used fake update prompts, Accessibility Services abuse, phishing overlays for apps such as Alipay and WeChat, and lock-screen credential theft.
ESET links GhostChat to broader surveillance operations
ESET assessed that the same threat actor behind GhostChat also conducted related operations including ClickFix-based desktop compromises and a WhatsApp device-linking attack dubbed GhostPairing. These campaigns used websites impersonating Pakistani government organizations and QR-code lures, including a fake channel claiming ties to Pakistan's Ministry of Defence.
ESET uncovers GhostChat Android spyware campaign targeting Pakistan
ESET researchers reported an Android spyware campaign in Pakistan in which victims are lured through romance-scam social engineering into manually installing a malicious app called GhostChat from unofficial sources. The spyware routes chats through WhatsApp, monitors device activity, and exfiltrates images, documents, and other sensitive data to a command-and-control server.
TrustBastion repository disappears and campaign rebrands as Premium Club
After the TrustBastion repository was removed in late December 2025, the same Android malware operation resurfaced under the new app or repository name "Premium Club" while reusing the same codebase and tactics. Reports indicate the attackers continued rebuilding infrastructure after takedowns.
TrustBastion malware repository operates on Hugging Face
Bitdefender observed a Hugging Face dataset repository used to deliver Android RAT payloads that was about 29 days old and had accumulated more than 6,000 commits, with new polymorphic APK variants generated roughly every 15 minutes. The campaign used a fake security app called TrustBastion and scareware-style lures to push victims toward sideloading malware.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
AI Hub Hijacked: Polymorphic Android RAT Abuses Hugging Face to Steal Data
securityonline.info
Open sourceHugging Face Repositories Abused in New Android Malware Campaign
techrepublic.com
Open sourceHugging Face Abused to Distribute Polymorphic Android RAT TrustBastion Malware Campaign Targeting Asia-Pacific Users
rescana.com
Open sourceAttackers Using Hugging Face Hosting to Deliver Android RAT Payload
cybersecuritynews.com
Open sourceHugging Face abused to spread thousands of Android malware variants
bleepingcomputer.com
Open sourceA fake romance turns into an Android spyware infection - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe **social-engineering campaigns** that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of **fake Zoom/Teams/Adobe update sites** reached via meeting-invite and document lures; the downloaded executables were signed with a **compromised EV code-signing certificate** (issued to *TrustConnect Software PTY LTD*) and acted as droppers for **remote monitoring and management (RMM) tools**, enabling persistent access. Separately, ClearSky described a suspected **Russian espionage** phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (**BadPaw**) and a backdoor (**MeowMeow**) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to **APT28**. Mobile-focused lures were also reported: CloudSEK detailed **SMS phishing** targeting Israeli civilians with a trojanized **Red Alert** rocket-warning app, using a multi-stage loader chain to deploy spyware with **banking trojan** capabilities and exfiltrate **SMS, contacts, and location** to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android **“Massiv”** IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic **smishing** patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
Mar 21, 2026
Android Sideloading Campaigns Spread Asin Spyware and Banking Malware via Fake Apps
Researchers reported multiple Android-focused campaigns that rely on **sideloaded apps** from fraudulent websites, social media, and messaging channels rather than exploits in official app stores. ESET identified a previously undocumented spyware family, **Asin**, distributed since early 2025 through fake sites impersonating a government news outlet, a PDF tool, and a conflict-mapping service. The apps offered decoy functionality while covertly collecting data in the background, and victims had to manually install APKs and approve permissions; samples were linked to domains including `c-pdf[.]net` and `syriadefensemap[.]com`, with activity still observed into 2026 on Xiaomi Redmi Note 13 Pro-series devices running Android 15. A separate mobile threat trend used unofficial IPTV and football streaming apps to target users seeking pirated broadcasts in Spain and Italy, especially around major matches such as the UEFA Champions League final. ThreatFabric said apps masquerading as services like RojaDirecta were used to deliver banking malware including **Massiv** and **Perseus**, sometimes hidden inside functional apps with tools such as **Zombinder**. Once installed, the malware could abuse **Accessibility Services** for credential theft, MFA bypass, remote control, and full device takeover, underscoring how attackers are exploiting user demand for news, utilities, war tracking, and free sports streams to compromise Android devices.
Jun 6, 2026
Mobile and Web Fraud Campaigns Impersonating Public Services to Steal Data
Multiple active fraud and malware operations are abusing *trusted themes and brands* to compromise users, with a heavy emphasis on mobile-first delivery via social engineering. Zimperium reported a **targeted Android spyware** operation delivered through a fake “dating” app promoted via social media and messaging links; once installed, the app requests broad permissions (e.g., SMS, contacts, media) to enable **surveillance and data exfiltration** including messages, location, and credentials. Separately, Zimperium also described an Android campaign that **hides a RAT inside artifacts presented as legitimate AI/ML components** hosted on trusted framework infrastructure, enabling attackers to bypass basic screening and gain persistent device control (data theft, screen capture, remote command execution). In parallel, CybersecurityNews summarized two public-service impersonation campaigns tied to “traffic ticket” lures. In India, attackers are mimicking **RTO e-challan** notifications distributed via WhatsApp and other messaging platforms to push off-store Android apps that steal financial and personal data; the malware reportedly uses a **three-stage modular architecture**, dynamic remote configuration, anti-analysis, and a **custom VPN tunnel** to conceal C2 and exfiltration, while prompting victims for high-risk permissions and to disable battery optimization for persistence. In Canada, a separate operation uses **SEO poisoning** and SMS/ad lures to drive victims to **fake provincial traffic ticket payment portals** (e.g., BC, Ontario, Quebec) that harvest PII and payment card data; Unit 42 attributed the activity to a broader fraud network using a phishing kit with a “waiting room” feature and infrastructure spanning **70+ domains**, including concentration on the `45.156.87.0/24` netblock.
Mar 21, 2026