Android malware hidden in fake antivirus app

Sign up for my FREE CyberGuy Report

Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter.

For anyone unfamiliar, Hugging Face is an open platform where developers share AI, NLP and machine learning models. It is widely used by researchers and startups and has become a central hub for AI experimentation. That openness is also what attackers exploited. Because Hugging Face allows public repositories and supports many file types, criminals were able to host malicious code in plain sight.

The malware first appeared in an Android app called TrustBastion. On the surface, it looks like a helpful security tool. It promises virus protection, phishing defense and malware blocking. In reality, it does the opposite. 

Once installed, TrustBastion immediately claims your phone is infected. It then pressures you to install an update. That update delivers the malicious code. This tactic is known as scareware. It relies on panic and urgency to push users into tapping before thinking.

According to Bitdefender, a global cybersecurity company, the campaign centers on a fake Android security app called TrustBastion. Victims were likely shown ads or warnings claiming their device was infected and were instructed to manually install the app.

The attackers hosted TrustBastion's APK files directly on Hugging Face, placing them inside public datasets that appeared legitimate at first glance. Once installed, the app immediately prompted users to install a required "update," which delivered the actual malware.

After researchers reported the malicious repository, it was taken down. However, Bitdefender observed that nearly identical repositories quickly reappeared, with small cosmetic changes but the same malicious behavior. That rapid re-creation made the campaign harder to fully shut down.

This Trojan is not minor or annoying. It is invasive. Bitdefender says the malware can:

Take screenshots of your device

Show fake login screens for financial services

Capture your lock screen PIN

Once collected, that data is sent to a third-party server. From there, attackers can move quickly to drain accounts or lock you out of your own phone.

Google says users who stick to official app stores are protected. A Google spokesperson told CyberGuy, "Based on our current detection, no apps containing this malware are found on Google Play." 

This threat is a reminder that small choices matter. Here is what you should do right now:

Look closely at ratings, download counts and recent comments. Fake security apps often have vague reviews or sudden rating spikes.

Even careful users can have personal data exposed. A data removal service helps remove your phone number, email and other details from data broker sites that criminals rely on. That reduces follow-up scams, fake security alerts and account takeover attempts.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren't cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It's what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com

Scan your device regularly with Play Protect and back it up with strong antivirus software for added protection. Google Play Protect, which is built-in malware protection for Android devices, automatically removes known malware. However, it is important to note that Google Play Protect may not be enough. Historically, it hasn't been 100% effective at removing all known malware from Android devices.

Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com

Avoid installing apps from websites outside the app store. These apps bypass security checks, so always verify the publisher name and URL.

Your phone security depends on it. Enable two-step verification (2FA) first, then use a strong, unique password stored in a password manager to prevent account takeovers.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com

Be cautious with accessibility permissions. Malware often abuses them to take control of your device.

Malware can hide inside fake updates. Be cautious of urgent fixes that push you outside the app store.

This attack shows how quickly trust can be weaponized. A platform designed to advance AI research was repurposed as a delivery system for malware. A fake antivirus app became the threat it claimed to stop. Staying safe no longer means avoiding sketchy-looking apps. It means questioning even those apps that appear helpful and professional.

Have you seen something on your phone that made you question its security? Let us know your thoughts by writing to us at Cyberguy.com

Sign up for my FREE CyberGuy Report 

Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter. 

Copyright 2026 CyberGuy.com.  All rights reserved.