Among the requested permissions are Accessibility Services, screen recording, screen casting, and overlay display rights. Together, these give the malware extensive visibility into user interaction and the ability to capture on-screen content across apps.
The researchers said these capabilities can be used to monitor and record user activity in real time, display fake authentication interfaces mimicking popular financial platforms (like Alipay and WeChat) to harvest credentials, capture lock screen patterns and biometric inputs, and exfiltrate harvested data back to an actor-controlled command and control (C2) server.
Bitdefender said it contacted Hugging Face before publishing the disclosure, and the latter quickly took down the datasets containing malware. Hugging Face did not immediately respond to CSO’s request for comments.
For additional support, Bitdefender has shared a list of indicators of compromise (IoCs), including dropper hashes, IPs, domains, and package names.
