# OctoV2 Android Banking Trojan - New Malware Disguised as Deepseek AI

Security experts have discovered a sophisticated Android banking Trojan campaign masquerading as a newly emerged AI chatbot to deceive users. This malware, known as OctoV2, is being distributed through phishing websites mimicking the official Deepseek AI chatbot application.

# **Phishing Method**

The malware is distributed via a malicious phishing link **hxxps://deepsekk\[.\]sbs**

![](https://labs.k7computing.com/wp-content/uploads/2025/03/figure2.png align="center")

*Figure 1. Fake DeepSeek application website*

When users click on the message, it downloads the malicious DeepSeek.apk file (Hash: **e1ff086b629ce744a7c8dbe6f3db0f68**) from the website **hxxps://deepsekk\[.\]sbs/DeepSeek.apk** and saves the file to the device's “Sdcard/Downloads” directory as shown in Figure 2.

![](https://labs.k7computing.com/wp-content/uploads/2025/03/Figure3.png align="left")

*Figure 2. Location of the Deepseek application*

When users fall for the trap and install the malicious “DeepSeek.apk” application, it impersonates the DeepSeek icon on the device's home screen.

![](https://labs.k7computing.com/wp-content/uploads/2025/03/Figure4.png align="center")

*Figure 3. Fake Deepseek application icon created by malware*

When users launch the malicious Deepseek application, an update screen appears. When users click "Update," a "Allow from this source" notification pops up, requesting the installation of another additional application.

![](https://labs.k7computing.com/wp-content/uploads/2025/03/Figure5-1024x451.png align="left")

*Figure 4. Installation of fake Deepseek client application*

After completing this process, another Deepseek application icon appears on the device's home screen, as shown in Figure 6. Based on this, researchers concluded that two versions of the malicious Deepseek software are installed on the device, each with a different package name.

![](https://labs.k7computing.com/wp-content/uploads/2025/03/Figure6.png align="center")

*Figure 5. Multiple Deepseek icons created by malware*

To verify this, use Logcat to display the installation process of the two APKs, as shown in Figure 6 below.

![](https://labs.k7computing.com/wp-content/uploads/2025/03/Figure7.png align="left")

*Figure 6. Logcat log*

After analysis, researchers identified the package “com.hello.world” as the parent application and “com.vgsupervision\_kit29” as the child application. Once the child application “com.vgsupervision\_kit29” is installed on the device, it often suggests that users enable Accessibility Services on the device until users allow this application to enable Accessibility Services.

![](https://labs.k7computing.com/wp-content/uploads/2025/03/Figure8-1024x486.png align="left")

*Figure 7. Accessibility service request from malicious application*

# **Technical Analysis**

## **Information Extraction**

To continue the analysis, security researchers attempted to extract the original “deepseek.apk” using 7-Zip, but the file was encrypted with a password. This is one of the self-protection mechanisms of the malware, and it is becoming increasingly common. Furthermore, reverse engineering tools like APKTool and Jadx could not analyze these APK files, as shown in Figure 8.

![](https://labs.k7computing.com/wp-content/uploads/2025/03/Figure9.png align="left")

*Figure 8. 7zip and reverse engineering tools unable to analyze the malware*

However, when the malware is installed, the Android SDK aapt tool successfully analyzed and extracted the files created by the application.

![](https://labs.k7computing.com/wp-content/uploads/2025/03/Figure10.png align="left")

*Figure 9. Successfully analyzed by aapt*

## **Analysis of Child Application Installation Behavior in Android Environment**

When users launch the application with the package name “com.hello.world,” the application searches the accompanying resource directory to identify the existence of a file with the extension *.cat*, as illustrated in Figure 10.

![](https://labs.k7computing.com/wp-content/uploads/2025/03/Figure11.png align="left")

*Figure 10. Scanning process of .cat file in the application's resource directory*

After detecting the *.cat* file, the application extracts its contents and writes it to the internal cache directory with the temporary name **Verify.apk**. The application then uses the *getPackageArchiveInfo()* method to verify the validity of this file as an installation file (APK). If verification is successful, the system initiates the application installation process, as recorded in Figure 11. It is noteworthy that the *.cat* file may come with password protection.

![](https://labs.k7computing.com/wp-content/uploads/2025/03/Figure13-1024x560.png align="left")

*Figure 11. Processing and installation of application from .cat file*

## **Communication with Command and Control Server (C2)**

After the child application is installed (the application package is recorded as “com.vgsupervision\_kit29”), the next operational mechanism includes using a Domain Generation Algorithm (DGA) to create dynamic communication domains. The goal is often to avoid detection or blocking by static domain blocklists.

The malware then scans the list of installed applications on the device and sends this information to the C2 server. The malware control commands and C2 server information are usually stored in an XML configuration file inside the **shared\_prefs** directory, as shown in Figure 12.

![](https://labs.k7computing.com/wp-content/uploads/2025/03/Figure15-1024x501.png align="left")

*Figure 12. Malware control commands and C2 server information*

# **IOCs Related to** OctoV2 malware

## Package Name

| **Package Name** | **Hash** | **Detection Name** |
| --- | --- | --- |
| com.vgsupervision\_kit29 | 99fe380d9ef96ddc4f71560eb8888c00 | Trojan ( 0056e5201 ) |
| com.hello.world | E1FF086B629CE744A7C8DBE6F3DB0F68 | Trojan ( 005bc2f21 ) |

URL

| hxxps://deepsekk\[.\]sbs/DeepSeek\[.\]apk |
| --- |

# **Recommendations**

**FPT Threat Intelligence** recommends several measures for organizations and individuals to prevent this malware attack campaign:

* **Secure Data Backup**: Ensure regular offline backups to recover data in case of encryption or data loss due to malware.
    
* **System Updates**: Always update security patches for the operating system, applications, and firmware to protect devices from known vulnerabilities.
    
* **Permission Management**: Limit application access permissions to only what is necessary, especially for applications requiring sensitive access like SMS, calls, and storage.
    
* **Account Security**: Use strong, unique passwords and enable multi-factor authentication (MFA) for all administrative accounts, Google accounts, and related services.
    
* **Data Encryption**: Implement encryption for sensitive data to protect against theft or unauthorized access if the device is compromised.
    
* **Attack Surface Reduction**: Remove or disable unnecessary applications and services to reduce the potential for exploitation.
    
* **Security Awareness**: Train employees to recognize mobile malware, infection methods through attachments, QR codes, and fake applications.
    
* **Application Monitoring and Supervision**: Set up monitoring tools and alerts for any unauthorized application installations or unusual behavior like automatic data transmission.
    
* **Restrict Non-Google Play Installations**: Configure devices to only allow installations from trusted stores like Google Play. Limit enabling the "Unknown sources" option.
    
* **Use Mobile Security Software**: Install reputable security solutions to monitor abnormal behavior, check for malicious applications, and provide real-time protection.
    

# **References**

* [**Android Banking Trojan – OctoV2, masquerading as Deepseek AI**](https://labs.k7computing.com/index.php/android-banking-trojan-octov2-masquerading-as-deepseek-ai/)
