Image by Solen Feyissa, from Unsplash
Fake DeepSeek AI App Spreads Banking Trojan
Reading time: 2 min
Updated on Mar 18, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
A new Android banking trojan, OctoV2, is spreading under the guise of the popular AI chatbot DeepSeek, cybersecurity researchers at K7 warn.
In a Rush? Here are the Quick Facts!
- The malware spreads via a phishing site mimicking DeepSeek’s official platform.
- It installs two malicious apps, one acting as a parent and the other a child.
- The malware uses Accessibility Service permissions to control infected devices.
The malware tricks users into installing a fake DeepSeek app, which then steals login credentials and other sensitive data.
The attack starts with a phishing website, which closely mimics DeepSeek’s official platform. When users click the link, a malicious APK file named DeepSeek.apk is downloaded to their device.
Once installed, the fake app displays an icon identical to the real DeepSeek app, making it difficult to detect. Upon launch, it prompts users to install an “update.” Clicking the update button enables the “Allow from this source” setting, allowing a second app to install itself.
This results in two instances of the malware being installed on the victim’s device—one acting as a parent app (com.hello.world) and the other as a child app (com.vgsupervision_kit29).
The child app then aggressively requests Accessibility Service permissions, continuously displaying the settings page until the user grants access. Once enabled, the malware gains extensive control over the device.
Security researchers at K7 Labs found that the malware uses advanced evasion techniques. Both the parent and child apps are password-protected, making it difficult to analyze them with traditional reverse engineering tools. The parent app extracts a hidden “.cat” file from its assets folder, renames it “Verify.apk,” and installs it as the child package.
Once active, the malware scans the victim’s device for installed applications and transmits the data to a Command and Control (C2) server. It uses a Domain Generation Algorithm (DGA) to communicate with its operators, allowing it to evade domain blacklisting.
Experts warn users to be cautious when downloading apps. “Always use trusted platforms like Google Play or the App Store,” advises K7 Labs. Keeping devices updated and using reputable mobile security software can help detect and block such threats.
Previous Story
Latest articles 
Leave a Comment
Cancel