GitLab

I performed a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing variation 1.8.0 from the Google Play Store. The goal was to recognize potential security and privacy issues.

I've discussed DeepSeek previously here.

Additional security and personal privacy issues about DeepSeek have been raised.

See likewise this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on static analysis. This indicates that while the code exists within the app, there is no definitive proof that all of it is carried out in practice. Nonetheless, the presence of such code warrants examination, specifically given the growing concerns around information personal privacy, security, the prospective abuse of AI-driven applications, and cyber-espionage characteristics between worldwide powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising concerns about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure identifies these in the iPhone app yesterday also.

• Bespoke encryption and data obfuscation techniques exist, with indications that they might be utilized to exfiltrate user details.
• The app contains hard-coded public keys, rather than depending on the user device's chain of trust.
• UI interaction tracking catches detailed user habits without clear approval. - WebView control exists, which could enable the app to gain access to private external browser information when links are opened. More details about WebView manipulations is here
  
  Device Fingerprinting & Tracking
  
  A substantial portion of the analyzed code appears to concentrate on gathering device-specific details, which can be utilized for tracking and fingerprinting.
  
  - The app collects various distinct gadget identifiers, consisting of UDID, coastalplainplants.org Android ID, IMEI, IMSI, and provider details.
• System residential or commercial properties, set up packages, and root detection systems suggest potential anti-tampering measures. E.g. probes for the existence of Magisk, a tool that privacy supporters and security researchers utilize to root their Android devices.
• Geolocation and network profiling are present, showing possible tracking capabilities and making it possible for or disabling of fingerprinting routines by region. - Hardcoded device model lists recommend the application may act differently depending on the discovered hardware.
• Multiple vendor-specific services are used to draw out extra gadget details. E.g. if it can not determine the gadget through standard Android SIM lookup (due to the fact that permission was not given), it particular extensions to access the very same details.
  
  Potential Malware-Like Behavior
  
  While no conclusive conclusions can be drawn without dynamic analysis, a number of observed habits align with recognized spyware and malware patterns:
  
  - The app uses reflection and UI overlays, oke.zone which could help with unapproved screen capture or phishing attacks.
• SIM card details, serial numbers, and other device-specific information are aggregated for unidentified functions.
• The app implements country-based gain access to constraints and "risk-device" detection, suggesting possible security mechanisms.
• The app executes calls to load Dex modules, where additional code is packed from files with a.so extension at runtime.
• The.so submits themselves turn around and make additional calls to dlopen(), which can be used to fill additional.so files. This facility is not generally inspected by Google Play Protect and other fixed analysis services.
• The.so files can be implemented in native code, such as C++. The use of native code includes a layer of intricacy to the analysis process and obscures the complete level of the app's abilities. Moreover, native code can be leveraged to more easily escalate advantages, potentially making use of vulnerabilities within the operating system or device hardware.
  
  Remarks
  
  While information collection prevails in modern-day applications for debugging and king-wifi.win enhancing user experience, aggressive fingerprinting raises considerable personal privacy concerns. The DeepSeek app needs users to log in with a valid email, which should currently supply enough authentication. There is no valid reason for the app to aggressively gather and transmit special device identifiers, IMEI numbers, SIM card details, and other non-resettable system residential or commercial properties.
  
  The level of tracking observed here goes beyond typical analytics practices, possibly making it possible for consistent user tracking and re-identification throughout gadgets. These behaviors, integrated with obfuscation methods and network interaction with third-party tracking services, warrant a higher level of analysis from security scientists and users alike.
  
  The employment of runtime code loading along with the bundling of native code recommends that the app could permit the release and execution of unreviewed, from another location delivered code. This is a severe possible attack vector. No evidence in this report is presented that from another location deployed code execution is being done, just that the center for this appears present.
  
  Additionally, the app's technique to finding rooted devices appears extreme for an AI chatbot. Root detection is frequently warranted in DRM-protected streaming services, where security and content security are critical, or in competitive computer game to avoid unfaithful. However, there is no clear rationale for such rigorous steps in an application of this nature, raising more concerns about its intent.
  
  Users and organizations considering installing DeepSeek ought to know these possible dangers. If this application is being used within an enterprise or government environment, extra vetting and security controls must be imposed before permitting its deployment on managed gadgets.
  
  Disclaimer: wiki.vst.hs-furtwangen.de The analysis provided in this report is based on static code review and does not suggest that all spotted functions are actively utilized. Further investigation is needed for conclusive conclusions.