In an alarming new development, a sophisticated Android banking trojan dubbed OctoV2 has emerged, posing as the popular DeepSeek AI application. This malware campaign employs cunning tactics to deceive users, ultimately stealing their login credentials and other sensitive information. With DeepSeek rapidly gaining popularity, cybercriminals are capitalizing on its trusted name to spread malicious software.
The Rise of DeepSeek and Its Popularity
DeepSeek, an advanced AI chatbot developed by a Chinese startup based in Hangzhou, quickly gained traction after its release in January 2025. With versions available on both iOS and Android, DeepSeek’s intuitive design and impressive capabilities have attracted a growing user base. Unfortunately, this popularity has also made it a prime target for cybercriminals looking to exploit user trust.
How the Malware Campaign Unfolds
Researchers from K7 Security Labs discovered the OctoV2 malware following a suspicious Twitter post about a fake DeepSeek Android application. Their investigation led them to a phishing website designed to mimic DeepSeek’s official platform. The fraudulent site ( hxxps://deepsekk[.]sbs) hosts a malicious APK file, which unsuspecting users download and install.
The Deceptive Installation Process
Once installed, the malicious app displays an icon identical to the legitimate DeepSeek app, making it incredibly difficult for users to spot the threat. The app further manipulates users by presenting an “update” screen that prompts them to enable the “Allow from this source” option — a common Android security setting used to bypass default restrictions.
Dual Malware Instances
The infection process results in two instances of the DeepSeek malware being installed on the victim’s device:
- Primary Package:
com.hello.world— Acts as the parent app. - Secondary Package:
com.vgsupervision_kit29— Installed as the child app.
Both packages are designed to operate discreetly, making detection and removal difficult.
Advanced Evasion Techniques
OctoV2 employs multiple techniques to avoid detection:
- Password-Protected Code: Both the parent and child applications are encrypted with passwords, preventing common analysis tools like APKTool and Jadx from decompiling them easily.
- Hidden Payload Extraction: The parent app extracts a concealed “.cat” file from its assets folder and installs it as the child package, named
Verify.apk.
How OctoV2 Operates
Once installed, the child app aggressively seeks Accessibility Service permissions — a powerful Android feature that allows enhanced control over the device. By gaining these permissions, the malware can:
- Perform actions on behalf of the user.
- Capture keystrokes to steal login credentials.
- Modify on-screen elements to bypass security measures.
Command and Control (C2) Mechanism
The malware leverages a sophisticated Domain Generation Algorithm (DGA) to establish communication with its command and control (C2) servers. This allows attackers to dynamically change server addresses, making it harder for security analysts to block malicious traffic.
The malware stores crucial bot commands and server details in the following file: /data/data/com.vgsupervision_kit29/shared_prefs/main.xml.
How Users Can Protect Themselves
To stay safe from threats like OctoV2, users should take the following precautions:
- Download Apps Only from Trusted Sources: Stick to official app stores like Google Play to minimize risks.
- Verify Application Details: Pay attention to developer names, reviews, and download counts before installing any app.
- Avoid Clicking Suspicious Links: Phishing campaigns often rely on social media links, emails, or direct messages to lure victims.
- Keep Your Device Updated: Regular security patches help protect devices from known vulnerabilities.
- Use a Reputable Security Solution: Antivirus apps can detect and block malicious applications before they cause harm.
Final thoughts
The emergence of OctoV2 posing as DeepSeek is a stark reminder that even trusted names in technology can be exploited by cybercriminals. Staying vigilant and adopting safe browsing habits is crucial to safeguarding your personal data. By sticking to trusted sources, verifying app details, and maintaining up-to-date security solutions, users can better protect themselves from such threats.
