Android Malware and Spyware Campaigns Using Trusted Platforms and Social Engineering Lures
Two separate Android-focused threat operations were reported, both relying on social engineering to drive manual installation of malicious apps. Bitdefender documented a campaign that abuses Hugging Face as a trusted hosting/CDN distribution point for an Android credential-stealing payload targeting popular financial and payment services. Victims are lured into installing a dropper app named TrustBastion via scareware-style ads; after installation it displays a fake Google Play “mandatory update” flow, then contacts infrastructure associated with trustbastion[.]com which redirects to a Hugging Face dataset repository hosting the final APK. The actor used server-side polymorphism to generate new payload variants roughly every 15 minutes, resulting in thousands of variants and rapid repository churn (reported as >6,000 commits over ~29 days); after takedown, the operation reportedly resurfaced under a new name (“Premium Club”) with refreshed branding.
ESET separately identified an Android spyware campaign tracked as GhostChat that uses romance-scam tactics to target individuals in Pakistan. The malicious app is disguised as a chat/dating service but primarily functions as a surveillance tool; it presents “locked” female profiles with passcodes (hardcoded in the app) to create a sense of exclusivity, then routes victims into WhatsApp chats tied to Pakistani numbers likely controlled by the operator. The app was distributed via unofficial sources (not Google Play) and is blocked by Google Play Protect by default; ESET also linked the same actor to a broader surveillance effort including a ClickFix compromise chain and a WhatsApp device-linking attack, using websites impersonating Pakistani government organizations as lures.
Timeline
Jan 29, 2026
Hugging Face removes malicious Android malware datasets
After being notified by Bitdefender, Hugging Face removed the malicious datasets used by the TrustBastion/Premium Club Android malware campaign. Despite the takedown, researchers said the operators continued attempting to re-establish their hosting infrastructure.
Jan 29, 2026
Bitdefender discloses Hugging Face-hosted Android RAT campaign
Bitdefender reported a large-scale Android malware campaign abusing Hugging Face as a trusted hosting platform to distribute polymorphic RAT payloads aimed at stealing credentials, especially in the Asia-Pacific region. The malware used fake update prompts, Accessibility Services abuse, phishing overlays for apps such as Alipay and WeChat, and lock-screen credential theft.
Jan 29, 2026
ESET links GhostChat to broader surveillance operations
ESET assessed that the same threat actor behind GhostChat also conducted related operations including ClickFix-based desktop compromises and a WhatsApp device-linking attack dubbed GhostPairing. These campaigns used websites impersonating Pakistani government organizations and QR-code lures, including a fake channel claiming ties to Pakistan's Ministry of Defence.
Jan 29, 2026
ESET uncovers GhostChat Android spyware campaign targeting Pakistan
ESET researchers reported an Android spyware campaign in Pakistan in which victims are lured through romance-scam social engineering into manually installing a malicious app called GhostChat from unofficial sources. The spyware routes chats through WhatsApp, monitors device activity, and exfiltrates images, documents, and other sensitive data to a command-and-control server.
Dec 31, 2025
TrustBastion repository disappears and campaign rebrands as Premium Club
After the TrustBastion repository was removed in late December 2025, the same Android malware operation resurfaced under the new app or repository name "Premium Club" while reusing the same codebase and tactics. Reports indicate the attackers continued rebuilding infrastructure after takedowns.
Nov 30, 2025
TrustBastion malware repository operates on Hugging Face
Bitdefender observed a Hugging Face dataset repository used to deliver Android RAT payloads that was about 29 days old and had accumulated more than 6,000 commits, with new polymorphic APK variants generated roughly every 15 minutes. The campaign used a fake security app called TrustBastion and scareware-style lures to push victims toward sideloading malware.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Sources
1 more from sources like help net security
Related Stories
Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe **social-engineering campaigns** that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of **fake Zoom/Teams/Adobe update sites** reached via meeting-invite and document lures; the downloaded executables were signed with a **compromised EV code-signing certificate** (issued to *TrustConnect Software PTY LTD*) and acted as droppers for **remote monitoring and management (RMM) tools**, enabling persistent access. Separately, ClearSky described a suspected **Russian espionage** phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (**BadPaw**) and a backdoor (**MeowMeow**) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to **APT28**. Mobile-focused lures were also reported: CloudSEK detailed **SMS phishing** targeting Israeli civilians with a trojanized **Red Alert** rocket-warning app, using a multi-stage loader chain to deploy spyware with **banking trojan** capabilities and exfiltrate **SMS, contacts, and location** to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android **“Massiv”** IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic **smishing** patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
1 months ago
Mobile and Web Fraud Campaigns Impersonating Public Services to Steal Data
Multiple active fraud and malware operations are abusing *trusted themes and brands* to compromise users, with a heavy emphasis on mobile-first delivery via social engineering. Zimperium reported a **targeted Android spyware** operation delivered through a fake “dating” app promoted via social media and messaging links; once installed, the app requests broad permissions (e.g., SMS, contacts, media) to enable **surveillance and data exfiltration** including messages, location, and credentials. Separately, Zimperium also described an Android campaign that **hides a RAT inside artifacts presented as legitimate AI/ML components** hosted on trusted framework infrastructure, enabling attackers to bypass basic screening and gain persistent device control (data theft, screen capture, remote command execution). In parallel, CybersecurityNews summarized two public-service impersonation campaigns tied to “traffic ticket” lures. In India, attackers are mimicking **RTO e-challan** notifications distributed via WhatsApp and other messaging platforms to push off-store Android apps that steal financial and personal data; the malware reportedly uses a **three-stage modular architecture**, dynamic remote configuration, anti-analysis, and a **custom VPN tunnel** to conceal C2 and exfiltration, while prompting victims for high-risk permissions and to disable battery optimization for persistence. In Canada, a separate operation uses **SEO poisoning** and SMS/ad lures to drive victims to **fake provincial traffic ticket payment portals** (e.g., BC, Ontario, Quebec) that harvest PII and payment card data; Unit 42 attributed the activity to a broader fraud network using a phishing kit with a “waiting room” feature and infrastructure spanning **70+ domains**, including concentration on the `45.156.87.0/24` netblock.
1 months ago
Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning **Android banking malware**, **iOS credential-harvesting via App Store listings**, and **Android espionage via trojanized crisis apps**. A new Android banking trojan marketed as **Mirax Bot** was advertised on underground forums as a **Malware-as-a-Service (MaaS)** offering, with claimed capabilities including **700+ app injects**, **Hidden VNC (HVNC)** for stealthy remote control, and features positioned for **account takeover (ATO)** and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described **PromptSpy**, characterized as an Android threat that uses **generative-AI techniques** to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device. In parallel, a phishing operation targeted iPhone users by impersonating **ChatGPT** and **Google Gemini** in emails that directed victims to **fraudulent iOS apps hosted on Apple’s App Store**; the apps (including *GeminiAI Advertising* `id6759005662` and *Ads GPT* `id6759514534`) presented a fake **Facebook login** flow to harvest credentials. Another campaign, **RedAlert**, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as `RedAlert.apk` via **SMS phishing (smishing)**, pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., **SMS**, contacts, precise **GPS**) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
1 months ago