Security experts have confirmed a new Android malware campaign that spreads by abusing trust in popular developer tools. The threat was discovered by Bitdefender in early 2026. It includes thousands of harmful app files shared through Hugging Face, a well-known artificial intelligence platform used by developers. Because the platform is trusted, the malware avoids suspicion and stays online longer than usual. The main app involved is a fake security tool called TrustBastion. It scares users with urgent warnings and pushes them to install a dangerous update. The malware, which is a polymorphic Remote Access Trojan (RAT), can steal banking details, watch phone screens, and read messages. Users who download apps outside official stores and skip safety checks are facing serious risks today.
The attack was uncovered by researchers from Romanian security company Bitdefender. They found thousands of harmful Android app files being shared through the Hugging Face platform. Since the platform is trusted, the files did not trigger any suspicion. This made it easier for the malicious apps to spread and remain on the platform for a longer period than usual.
Also read: Why your next smartphone will likely be Made in India, and not Vietnam
One of the prime sources of the malware is the TrustBastion app (and a later version called Premium Club), which claims to protect phones from threats and shows scary warnings saying the device is infected or under attack. The messages that are based on fear compel users to act immediately without verifying information. The app, once installed, requires users to download an update that has the malicious code.
While the notification about the app update looks like the one from the Google Play Store, it certainly isn’t from the store app. When users try to update, they are quietly redirected to a Hugging Face repository where the real harmful app is downloaded.
Also read: Apple iPhone Fold design, specifications, launch timeline, price and all other leaks
The malware is built to steal information from banking and payment apps on the installed device. It can read messages, record what is happening on the screen, and show fake login pages that look real. This allows criminals to capture passwords, PINs, and other private details without users noticing.
Once the app is downloaded, it asks for special permissions, specifically Accessibility Services, by claiming they are needed for security. If the user grants the permission, the malware can control parts of the phone and even block attempts to remove it. Furthermore, the researchers say the app uses server-side polymorphism to change its form every 15 minutes, making it harder for security tools to catch quickly.
Also read: Apple blocks iOS 26.2 downgrade, shuts rollback window for iPhone users after iOS 26.2.1 update
Lastly, Google has also confirmed that these apps were not found on its Play Store and that its built-in protection can block known versions. Users are advised to avoid third-party app stores, ignore scare-based warnings, and carefully review app permissions. Staying cautious remains the best way to stay safe.