Android Malware Mimic As DeepSeek To Steal Users Login Credentials

A sophisticated Android banking trojan known as OctoV2 has been discovered masquerading as the legitimate DeepSeek AI application.

The malware campaign uses a deceptive phishing website that closely mimics the official DeepSeek platform, tricking users into downloading a malicious application that steals login credentials and sensitive information.

DeepSeek, an advanced artificial intelligence chatbot developed by a Chinese startup based in Hangzhou, released its first application for iOS and Android platforms in January 2025.

The popularity of this AI platform has made it an attractive target for cybercriminals looking to exploit user trust.

K7 Security Labs researchers detected this threat after observing a suspicious Twitter post about a fake DeepSeek Android application.

Their analysis revealed that the malware is being distributed through a phishing link: hxxps://deepsekk[.]sbs, which downloads a malicious APK file to the victim’s device.

Once installed, the malicious application displays an icon identical to the legitimate DeepSeek app, making it difficult for users to identify the threat.

When launched, the malware presents an update screen prompting users to enable the “Allow from this source” option and install an additional component.

The infection process results in two instances of the DeepSeek malware being installed on the device, each with a different package name.

Technical analysis shows the primary package “com.hello.world” acting as a parent app, which then installs a secondary “com.vgsupervision_kit29” package as the child app.

Malware Analysis

The malware employs sophisticated methods to evade detection. Both the parent and child applications are password-protected, making them difficult to analyze with standard reversing tools like APKTool and Jadx.

The parent app extracts a hidden “.cat” file from its assets folder and copies it to the device as “Verify.apk” before installing it as the child package.

After installation, the child application persistently requests Accessibility Service permissions, giving the malware extensive control over the device.

It utilizes a Domain Generation Algorithm (DGA) to establish communication with command and control (C2) servers.

The trojan then scans and retrieves a list of all installed applications on the victim’s device and transmits this information to the C2 server.

The bot commands and C2 details are stored in the “/data/data/com.vgsupervision_kit29/shared_prefs/main.xml” file.

Users are advised to download applications only from official sources like Google Play, keep their devices updated with the latest security patches, and use reputable security solutions to detect and prevent such threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.