Android Malware Disguised as DeepSeek Steals Users’ Login Credentials

A recent cybersecurity threat has emerged in the form of Android malware masquerading as the DeepSeek AI application.

This malicious software is designed to deceive users into downloading a fake version of the DeepSeek app, which then compromises their device’s security by stealing sensitive information such as login credentials.

Malware Propagation and Installation

The malware is propagated through phishing links, such as hxxps://deepsekk[.]sbs, which lead users to download a malicious APK file named DeepSeek.apk with the hash e1ff086b629ce744a7c8dbe6f3db0f68.

Once installed, the app appears with the genuine DeepSeek icon in the device’s app drawer, making it difficult for users to distinguish it from the legitimate version.

Upon launching the fake app, users are prompted to update it, which requires enabling the “Allow from this source” option and installing an additional app.

This results in two instances of the malware being installed on the device, each with a different package name: com.hello.world and com.vgsupervision_kit291.

Technical Analysis and Impact

The malicious app employs advanced evasion techniques, including password protection for the APK files, which complicates analysis using standard tools like APKTool and Jadx.

However, the Android SDK tool aapt was successful in parsing the app.

The child app, com.vgsupervision_kit29, frequently prompts users to enable Accessibility Services, allowing it to gain elevated permissions on the device.

According to K7 Security Labs Report, this app uses a Domain Generation Algorithm (DGA) for Command & Control (C2) communication, making it harder to track and block its activities.

The malware scans the device for installed applications and transmits this information to the C2 server, further compromising user privacy.

To protect against such threats, users are advised to download apps only from reputable platforms like Google Play and the App Store, and to keep their devices updated with the latest security patches.

Utilizing a reputable mobile security product, such as K7 Mobile Security, can also help detect and prevent these types of malware attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.