Attackers Exploit Hugging Face To Distribute Trojans

Security researchers uncovered a campaign that used Hugging Face’s model repository to distribute Android banking trojans to users across multiple continents. TechRepublic reported attackers uploaded trojanized apps and staged loaders disguised as AI models, enabling credential theft, SMS interception, and persistent device access; the incident prompted removals and renewed calls for stricter repository moderation and behavioral detection.
Key Points
- 1Distribute Android banking trojans through Hugging Face model repository using staged loaders and secondary hosts
- 2Exploit platform trust to bypass signature-based defenses and social-engineer users into granting extensive permissions
- 3Require behavioral detection, stricter repository moderation, and updated mobile device management controls
Scoring Rationale
Highlights substantial platform-abuse risk and actionable defenses, but limited by reliance on a single report and incomplete cross-platform telemetry.
Sources
Public references used for this report.
Practice with real Banking data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Banking problems

