Android Malware Hidden in Fake Antivirus App

NEWNow you can listen to News articles!

If you use an Android phone, this is worth your attention.

Cybersecurity researchers warn that hackers are using Hugging Face, a popular platform for sharing artificial intelligence (AI) tools, to spread dangerous Android malware.

At first, the threat seems harmless because it is disguised as a fake antivirus application. Then, once you install it, criminals gain direct access to your device. For this reason, the threat is especially worrying. It combines two things that people already trust: security applications and artificial intelligence platforms.

Sign up to receive my FREE CyberGuy report

Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

HIKING ACCOUNTS FROM MALICIOUS GOOGLE CHROME EXTENSIONS

How to print, save and send Android text messages

Researchers say hackers hid Android malware inside a fake antivirus app that looked legitimate at first glance. (Kurt “CyberGuy” Knutsson)

What is Hugging Face and why is it important?

For anyone unfamiliar, Hugging Face is an open platform where developers share AI, NLP, and machine learning models. It is widely used by researchers and startups and has become a central hub for AI experimentation. That opening is also what the attackers exploited. Because Hugging Face allows public repositories and supports many file types, criminals were able to host malicious code in plain sight.

The fake antivirus application behind the attack

The malware first appeared in an Android app called TrustBastion. At first glance, it seems like a useful security tool. It promises antivirus protection, phishing defense, and malware blocking. In fact, it does the opposite.

Once installed, TrustBastion immediately claims that your phone is infected. It then prompts you to install an update. That update delivers the malicious code. This tactic is known as scareware. It relies on panic and urgency to push users to tap before thinking.

FAKE ERROR POPUPS ARE SPREADING MALWARE RAPIDLY

A fake antivirus app for Android on the Google Play store

The fake TrustBastion app imitates a legitimate Google Play update screen to trick users into installing malware. (Bitdefender)

How malware spreads and adapts

According to Bitdefender, a global cybersecurity company, the campaign focuses on a fake Android security app called TrustBastion. Victims were likely shown ads or warnings claiming their device was infected and instructed to manually install the app.

The attackers hosted TrustBastion APK files directly on Hugging Face, placing them within public data sets that appeared legitimate at first glance. Once installed, the app immediately prompted users to install a required “update,” which delivered the actual malware.

After researchers reported the malicious repository, it was removed. However, Bitdefender noted that almost identical repositories quickly reappeared, with minor cosmetic changes but the same malicious behavior. That quick recreation made the campaign harder to close completely.

What this Android malware can really do

This Trojan is neither minor nor annoying. It’s invasive. Bitdefender says the malware can:

Take screenshots of your device

Show fake login screens for financial services

Capture your lock screen PIN

Once collected, that data is sent to a third-party server. From there, attackers can act quickly to empty accounts or block you from accessing your own phone.

What Google says about the threat

Google says users who stick to official app stores are protected. A Google spokesperson told CyberGuy: “Based on our current detection, no apps containing this malware have been found on Google Play.

“Android users are automatically protected against known versions of this malware using Google Play Protect, which is enabled by default on Android devices with Google Play Services.

“Google Play Protect can warn users or block apps that are known to exhibit malicious behavior, even when those apps come from sources outside of Play.”

BROWSER EXTENSION MALWARE INFECTED 8.8M USERS IN DARKSPECTER ATTACK

Once installed, the malware could capture screenshots, fake login details, and even your lock screen PIN. (Kurt “CyberGuy” Knutsson)

How to stay safe from Hugging Face malware for Android

This threat is a reminder that small decisions matter. This is what you should do right now:

1) Stick to trusted app stores

Download apps only from trusted sources such as Google Play Store or Samsung Galaxy Store. These platforms have moderation and scanning.

2) Read reviews before installing

Look closely at ratings, download counts, and recent comments. Fake security apps often have vague reviews or sudden rating spikes.

3) Use a data deletion service

Even careful users can have personal data exposed. A data removal service helps remove your phone number, email, and other details from data broker sites that criminals trust. That reduces tracking scams, false security alerts, and account takeover attempts.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy.

These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com

4) Run Play Protect and use strong antivirus software

Scan your device periodically with Play Protect and back it up with powerful antivirus software for added protection. Google Play Protect, which is a built-in malware protection for Android devices, automatically removes known malware. However, it is important to note that Google Play Protect may not be enough. Historically, it has not been 100% effective at removing all known malware from Android devices.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all of your devices. This protection can also help you detect phishing and ransomware emails, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com

5) Avoid downloading APK files

Avoid installing apps from websites outside the app store. These apps bypass security checks, so always check the publisher name and URL.

6) Lock your Google account

The security of your phone depends on it. First enable two-step verification (2FA), then use a unique, secure password stored in a password manager to prevent account takeover.

Next, check to see if your email has been exposed in previous breaches. Our number one password manager (see Cyberguy.com) includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com

7) Be careful with permissions

Be careful with accessibility permissions. Malware often abuses them to take control of your device.

8) Watch app updates carefully

Malware can hide inside fake updates. Beware of rush fixes that get you kicked out of the app store.

Kurt’s Key Takeaways

This attack shows how quickly trust can be weaponized. A platform designed to advance AI research was repurposed as a malware delivery system. A fake antivirus application became the threat it was intended to stop. Staying safe no longer means avoiding apps that seem incomplete. It means questioning even those apps that seem useful and professional.

Have you seen something on your phone that made you question its security? Let us know your opinion by writing to us at Cyberguy.com

CLICK HERE TO DOWNLOAD THE News APP

Sign up to receive my FREE CyberGuy report

Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.

Breaking News

Adult ADHD stimulant prescriptions are surging, and doctors are raising concerns

Afghan Dad Who Fought Alongside U.S. Military Dies Hours Into ICE Custody

Susie Wiles Has Been Diagnosed With Early Stage Breast Cancer, Trump Says

Trump Throws A Fit Over Supreme Court

Global Energy Crisis Fears Rise As Iran Keeps Stranglehold On Shipping And Hits Dubai Airport

Israel Says It Killed Iran

Team USA players received game-used Olympic hockey jerseys for the World Baseball Classic final against Venezuela

Oregon star Dante Moore writes letter to governor advocating for access to mental health services

Former NHL star criticizes Rangers organization for hosting pride night

Alabama ‘preparing to play’ NCAA tournament without star guard Aden Holloway after felony drug arrest