Cybercriminals are constantly evolving their techniques to exploit popular applications and unsuspecting users. Recently, a sophisticated Android banking trojan known as OctoV2 has emerged, masquerading as the legitimate DeepSeek AI application. This malware campaign uses phishing tactics to deceive users into downloading a malicious application that steals sensitive information, including login credentials.
In this article, we will explore the mechanics of the OctoV2 malware, how it spreads, its impact, and essential security measures to protect against such threats.
The Emergence of the OctoV2 Trojan
DeepSeek AI is an advanced artificial intelligence chatbot developed by a Chinese startup based in Hangzhou. In January 2025, the company launched its first mobile applications for iOS and Android platforms, quickly gaining popularity. As with any widely-used platform, cybercriminals saw an opportunity to exploit its reputation and unsuspecting users.
Security researchers from K7 Security Labs discovered this emerging threat after identifying a suspicious Twitter post promoting a fake DeepSeek Android application. Further investigation revealed a deceptive phishing website mimicking the official DeepSeek platform, leading users to download a malicious APK file onto their devices.
The phishing site is hosted at hxxps://deepsekk[.]SBS closely resembles the authentic DeepSeek website, making it difficult for users to distinguish between legitimate and fraudulent versions. Once a user downloads and installs the malicious app, the malware begins its covert operations.
How OctoV2 Infects Devices
Once installed, the OctoV2 malware disguises itself by using an icon identical to the legitimate DeepSeek app, preventing users from easily detecting the threat.
Installation and Deception Tactics
When the fake application is launched, it presents an update screen, prompting users to enable the “Allow from this source” option. This action grants the malware permission to install an additional component, further embedding itself within the system.
Unlike basic Android malware, OctoV2 employs an advanced infection process, resulting in two instances of the malicious software being installed on the victim’s device. Each of these instances carries a different package name, making it more challenging for traditional antivirus tools to detect and remove them.
Technical Breakdown of the Infection Process
The malware consists of two main components working together to compromise the device:
Primary Package (“com.hello.world”) – This acts as the parent application, facilitating the installation of the second malicious Package.
Secondary Package (“com.vgsupervision_kit29”) – This is installed as a child application and is responsible for executing malicious activities in the background.
The parent app extracts a hidden file from its assets folder, labeled “.cat,” and renames it to “Verify.apk” before installing it as the child package. This hidden installation process allows the malware to evade detection by conventional security software.
Malware Analysis: How OctoV2 Evades Detection
OctoV2 is not a simple trojan—it employs sophisticated methods to avoid detection and removal.
Password-Protected Code
Both the parent and child applications are password-protected, making it difficult for security analysts to examine the code using standard reverse-engineering tools like APKTool and Jadx. This encryption technique ensures that only the malware authors can access and modify the malicious payload.
Abuse of Accessibility Service Permissions
One of the most dangerous aspects of OctoV2 is its persistent request for Accessibility Service permissions. Once granted, these permissions allow the malware to:
- Read on-screen content, including login credentials and SMS messages: Control device input, enabling it to interact with banking apps and other sensitive applications.
- Prevent users from uninstalling the malicious app by blocking access to security settings: This level of control makes the malware highly dangerous, as it can operate without requiring additional user interaction.
Communication with Command-and-Control (C2) Servers
The malware employs a Domain Generation Algorithm (DGA) to create and communicate with Command-and-Control (C2) servers dynamically. This method allows cybercriminals to remotely manage infected devices remotely, making detection and shutdown efforts much more difficult.
Once the malware is active, it performs continuous surveillance on the infected device, collecting information about installed applications and transmitting it to the C2 server. This enables attackers to execute automated fraud, such as credential theft and financial fraud.
The Role of Shared Preferences in Data Storage
One of the critical files storing bot commands and C2 details is located at:
/data/data/com.vgsupervision_kit29/shared_prefs/main.xml
This file contains configuration settings that guide the malware’s behavior, including how it interacts with the infected device and how data is exfiltrated. By analyzing this file, security researchers can gain insights into how the malware operates and the extent of its capabilities.
Protecting Against the OctoV2 Trojan
As cyber threats continue to evolve, it is essential to adopt proactive security measures to prevent malware infections. Here are some critical steps to protect yourself from OctoV2 and similar threats:
Download Apps Only from Official Sources
One of the biggest mistakes users make is downloading applications from third-party websites or unverified sources. To minimize risk:
- Always download apps from the Google Play Store or the Apple App Store.
- Verify the developer’s name and read user reviews before installing any app.
Keep Your Device Updated
Regular software updates include critical security patches that help protect against newly discovered vulnerabilities. Ensure your Android operating system and all installed apps are up-to-date.
Be Cautious of Phishing Links
Cybercriminals use phishing techniques to distribute malware. To avoid falling victim to phishing scams:
- Do not click on suspicious links sent via SMS, email, or social media.
- Always check the website URL carefully before downloading anything.
Use Reputable Security Solutions
A strong mobile security solution can help detect and remove malware before it causes harm. Consider installing:
- Antivirus software with real-time protection.
- App scanners that analyze app behavior and detect hidden threats.
Disable Accessibility Service Permissions for Untrusted Apps
If an application unexpectedly requests Accessibility permissions, this is a red flag. Only grant these permissions to trusted apps and regularly review which apps have access.
Conclusion
The OctoV2 banking trojan is a prime example of how cybercriminals exploit the popularity of legitimate applications to spread malware. By masquerading as the DeepSeek AI app, this sophisticated malware gains access to banking credentials, sensitive user data, and system settings, making it a significant threat to Android users.
By staying vigilant, downloading applications from trusted sources, and adopting strong security practices, users can protect their devices from malicious attacks. As threats like OctoV2 continue to emerge, cybersecurity awareness remains the first line of defense against online fraud and identity theft.
For more:
https://cybersecuritynews.com/android-malware-mimic-as-deepseek/
