{
	"id": "4fa62b79-8573-4f7d-a920-0dc508cc05a9",
	"created_at": "2026-04-06T00:08:26.539005Z",
	"updated_at": "2026-04-10T03:21:13.395189Z",
	"deleted_at": null,
	"sha1_hash": "73867b091fb7760b4c3cbed781d13018c8a80eee",
	"title": "Android Banking Trojan – OctoV2, masquerading as Deepseek AI",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3874571,
	"plain_text": "Android Banking Trojan – OctoV2, masquerading as Deepseek AI\r\nPublished: 2025-03-14 · Archived: 2026-04-05 20:21:02 UTC\r\nThe world is moving from human reality to artificial reality aka advanced artificial intelligence (AI). In\r\nJanuary 2025, Deepseek, an advanced artificial intelligence developed by a Chinese startup based in\r\nHangzhou released its first chatbot application based on Deepseek-R1 model for iOS and Android\r\nplatforms.  This blog is about how threat actors create deceptive websites that mimic Deepseek AI to\r\nmislead users into downloading their malicious app.  \r\nWe at K7 Labs recently came across a twitter post about Deepseek Android Malware as shown in Figure 1. \r\nFigure 1: Download page\r\nThis malware is propagated via the malicious phishing link hxxps://deepsekk[.]sbs as shown in Figure 2.\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 1 of 14\n\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 2 of 14\n\nFigure 2: Deepseek app Phishing Page\r\nOnce the user clicks on the message, it downloads a malicious DeepSeek.apk (Hash:\r\ne1ff086b629ce744a7c8dbe6f3db0f68) from hxxps://deepsekk[.]sbs/DeepSeek.apk website and saves the file to\r\ndevice “Sdcard/Downloads” folder as shown in Figure 3.\r\nFigure 3: Deepseek app saved location – “Sdcard/Downloads” folder\r\nOnce the user falls prey to this Trojan and installs the malicious “DeepSeek.apk”, the app uses the genuine\r\nDeepSeek icon in the device app drawer as shown in Figure 4.\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 3 of 14\n\nFigure 4: Fake Deepseek app icon created by the malware \r\nOnce the user launches the malicious Deepseek app, an update screen appears. When the user clicks “Update”,\r\nthey are prompted to enable the “Allow from this source” option and install an additional app, as shown in\r\nFigure 5.\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 4 of 14\n\nFigure 5: Deeepseek client app installation\r\nAfter completing this process, an additional Deepseek app icon appears in the device’s app drawer, as shown in\r\nFigure 6 . Based on the figure, we concluded that two instances of the Deepseek malware are installed on the\r\ndevice, each with a different package name.\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 5 of 14\n\nFigure 6:  Multiple Deepseek icon created by the malware\r\nTo verify this, the Logcat logs show the installation process of two APKs, as seen in the below Figure 7.\r\nFigure 7: Logcat logs\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 6 of 14\n\nFrom here on, we will refer to the package “com.hello.world” as the parent app and “com.vgsupervision_kit29”\r\nas the child app. Once the child app “com.vgsupervision_kit29” is installed on the device, it frequently brings up\r\nthe Accessibility Service setting option on the device, as shown in Figure 8 , until the user eventually allows this\r\napp to have the Accessibility Service enabled.\r\nFigure 8: Accessibility service request from the client app\r\nTechnical Analysis\r\nTo proceed with our analysis, we attempted to extract the parent apk “deepseek.apk” using 7-Zip, but it prompted\r\nus for a password although we were able to successfully install and execute the app on the device. This is unusual\r\nand we have been observing a rapid increase in the number of such password-protected malicious APK files in our\r\nzoo collection. Furthermore, reversing tools like APKTool and Jadx failed to parse these APK files, as shown in\r\nFigure 9.\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 7 of 14\n\nFigure 9: 7zip and reversing tools failed to parse\r\nHowever, we noticed that the app under consideration was successfully parsed by the Android SDK tool aapt as\r\nshown in Figure 10.\r\nFigure 10: Successfully parsed by aapt\r\nSince the reversing tools failed to parse the APK, we extracted the files created by the app from the emulator after\r\ninstallation.\r\nCode Analysis after child app installation\r\nLocating the .cat file from parent app’s assets folder\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 8 of 14\n\nOnce the user launches the malicious parent app “com.hello.world”,  it scans the app’s assets directory to find a\r\nfile with the  “.cat” extension as shown in Figure 11.\r\nFigure 11: Searching for .cat file from parent apps assets folder\r\nFigure 12 shows the .cat file present in the parent apps assets folder.\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 9 of 14\n\nFigure 12: Parent apps assets folder\r\nExtracting, Verifying and Installing the .cat file\r\nThe parent app opens “.cat” file from apps assets folder and copies the file into\r\n“data/data/com.hello.world/cache/Verify.apk” folder, which then uses the android method\r\n“PackageManager.getPackageArchiveInfo()”  to check if it’s a valid APK. After the app verification, it starts\r\ninstalling the app on the device as a child package with the name as “com. vgsupervision_kit29” as shown in\r\nFigure 13. A point to note was that the installed child package was also password protected.\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 10 of 14\n\nFigure 13: Child app installation process\r\nC2 Communication\r\nAfter the malicious client application “com.vgsupervision_kit29” is successfully installed on the device, it\r\nutilizes a Domain Generation Algorithm (DGA), which is usually employed to dynamically generate domain\r\nnames for Command \u0026 Control (C2) communication so as to evade domain blacklisting as shown in Figure 14.\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 11 of 14\n\nFigure 14: Domain Generation Algorithm (DGA)\r\nIt then scans and retrieves a list of all installed applications on the victim’s device. This list is then transmitted to\r\nthe C2 server. Additionally, the bot commands and C2 details are stored in the\r\n“/data/data/com.vgsupervision_kit29/shared_prefs/main.xml” file, as shown in Figure 15.\r\nFigure 15: Bot configuration\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 12 of 14\n\nAt K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices by\r\nscanning them with a reputable security product like K7 Mobile Security and keeping the product active and\r\nupdated. Also patch your devices for all the known vulnerabilities. Users are also warned to exercise caution and\r\nuse only reputed platforms like Google Play and App Store for downloading software.\r\nIndicators of Compromise (IoCs)\r\nPackage Name                     Hash \r\nDetection\r\nName\r\ncom.vgsupervision_kit29 99fe380d9ef96ddc4f71560eb8888c00\r\nTrojan (\r\n0056e5201\r\n)\r\ncom.hello.world                                         E1FF086B629CE744A7C8DBE6F3DB0F68\r\nTrojan (\r\n005bc2f21\r\n)\r\nURL\r\nhxxps://deepsekk[.]sbs/DeepSeek[.apk\r\nMITRE ATT\u0026CK\r\nTactics Techniques\r\n   \r\nDefense Evasion\r\nHide ArtifactsDownload New Code at RuntimeUser EvasionInput\r\nInjection\r\n   \r\nPrivilege\r\nEscalation\r\nDevice Administrator PermissionsAbuse Elevation Control Mechanism\r\n   \r\nDiscovery Security Software DiscoverySystem Information Discovery\r\n   \r\nCollection Input CaptureKeylogging\r\n   \r\nImpact Account Access RemovalData Encrypted for Impact\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 13 of 14\n\nSource: https://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nhttps://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/"
	],
	"report_names": [
		"android-banking-trojan-octov2-masquerading-as-deepseek-ai"
	],
	"threat_actors": [],
	"ts_created_at": 1775434106,
	"ts_updated_at": 1775791273,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73867b091fb7760b4c3cbed781d13018c8a80eee.pdf",
		"text": "https://archive.orkl.eu/73867b091fb7760b4c3cbed781d13018c8a80eee.txt",
		"img": "https://archive.orkl.eu/73867b091fb7760b4c3cbed781d13018c8a80eee.jpg"
	}
}