A new Android banking trojan, known as OctoV2, has been discovered posing as the legitimate DeepSeek AI application. The malware campaign relies on a phishing website that mimics the official DeepSeek platform, deceiving users into downloading a malicious application. This application then steals sensitive information, including login credentials, by exploiting users’ trust in the AI platform. DeepSeek, a chatbot developed by a Chinese startup in Hangzhou, gained significant attention after releasing its mobile app in January 2025, making it an attractive target for cybercriminals.
Researchers from K7 Security Labs identified the threat after noticing a suspicious post about a fake DeepSeek Android app on Twitter.
Upon further investigation, the team found that the malware was distributed through a phishing link: hxxps://deepsekk[.]sbs. This link directs users to a malicious APK file that, when installed, presents an icon identical to the legitimate DeepSeek app, making it challenging for users to detect the trojan. Once the app is launched, it prompts users to allow the installation of an additional component that further facilitates the infection.
The installation process of the malware involves two distinct packages. The primary package, “com.hello.world,” acts as the parent app, which installs a secondary child package, “com.vgsupervision_kit29.” This secondary package, once installed, requests Accessibility Service permissions to gain extensive control over the device. The malware is highly sophisticated, using password protection to prevent analysis with standard tools like APKTool and Jadx.
Furthermore, the parent app extracts a hidden file from its assets folder, installs it as a child app, and ensures persistence on the device.
OctoV2 employs a Domain Generation Algorithm (DGA) to communicate with command and control (C2) servers. The malware scans the victim’s device for installed applications, gathering this data and sending it to the C2 server. Information related to the bot commands and C2 is stored in a specific file on the device, making it harder to detect. Users are strongly advised to download apps only from official sources like Google Play, regularly update their devices with the latest security patches, and use reliable security solutions to prevent such threats from compromising their devices.