GitLab

I conducted a static analysis of DeepSeek, forum.batman.gainedge.org a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The goal was to recognize prospective security and privacy concerns.

I've discussed DeepSeek previously here.

Additional security and personal privacy issues about DeepSeek have been raised.

See likewise this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based purely on fixed analysis. This indicates that while the code exists within the app, there is no conclusive evidence that all of it is executed in practice. Nonetheless, the existence of such code warrants analysis, equipifieds.com particularly offered the growing issues around information personal privacy, monitoring, the potential abuse of AI-driven applications, and cyber-espionage characteristics in between global powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct data to external servers, raising concerns about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure recognizes these in the iPhone app yesterday too.

• Bespoke file encryption and information obfuscation techniques are present, with indications that they might be to exfiltrate user details.
• The app contains hard-coded public keys, instead of depending on the user gadget's chain of trust.
• UI interaction tracking captures detailed user behavior bahnreise-wiki.de without clear permission. - WebView adjustment is present, forum.altaycoins.com which could permit the app to gain access to private external internet browser data when links are opened. More details about WebView adjustments is here
  
  Device Fingerprinting & Tracking
  
  A substantial portion of the analyzed code appears to focus on gathering device-specific details, which can be used for tracking and fingerprinting.
  
  - The app gathers numerous special device identifiers, including UDID, Android ID, IMEI, IMSI, and provider details.
• System residential or commercial properties, set up plans, and root detection systems suggest possible anti-tampering procedures. E.g. probes for the existence of Magisk, a tool that personal privacy supporters and security researchers use to root their Android devices.
• Geolocation and network profiling exist, showing prospective tracking capabilities and enabling or disabling of fingerprinting routines by region. - Hardcoded gadget model lists recommend the application might act differently depending upon the found hardware.
• Multiple vendor-specific services are used to draw out additional gadget details. E.g. if it can not determine the gadget through standard Android SIM lookup (due to the fact that permission was not granted), it attempts producer specific extensions to access the exact same details.
  
  Potential Malware-Like Behavior
  
  While no definitive conclusions can be drawn without vibrant analysis, a number of observed habits line up with known spyware and malware patterns:
  
  - The app uses reflection and UI overlays, which might facilitate unapproved screen capture or forum.batman.gainedge.org phishing attacks.
• SIM card details, identification numbers, and other device-specific information are aggregated for unidentified purposes.
• The app executes country-based gain access to constraints and "risk-device" detection, recommending possible security mechanisms.
• The app executes calls to pack Dex modules, where additional code is filled from files with a.so extension at runtime.
• The.so submits themselves reverse and make extra calls to dlopen(), which can be used to pack additional.so files. This center is not typically examined by Google Play Protect and other fixed analysis services.
• The.so files can be executed in native code, such as C++. Using native code adds a layer of complexity to the analysis procedure and obscures the complete degree of the app's abilities. Moreover, native code can be leveraged to more quickly intensify privileges, possibly making use of vulnerabilities within the operating system or device hardware.
  
  Remarks
  
  While information collection prevails in modern-day applications for debugging and improving user experience, aggressive fingerprinting raises substantial personal privacy concerns. The DeepSeek app needs users to visit with a legitimate email, which should currently provide adequate authentication. There is no legitimate reason for chessdatabase.science the app to strongly collect and transfer special device identifiers, IMEI numbers, SIM card details, and other non-resettable system properties.
  
  The degree of tracking observed here goes beyond common analytics practices, potentially allowing relentless user tracking and re-identification across devices. These behaviors, combined with obfuscation methods and network interaction with third-party tracking services, require a greater level of examination from security researchers and users alike.
  
  The employment of runtime code filling along with the bundling of native code suggests that the app might permit the deployment and execution of unreviewed, from another location provided code. This is a serious prospective attack vector. No evidence in this report exists that remotely deployed code execution is being done, only that the facility for this appears present.
  
  Additionally, the app's approach to identifying rooted devices appears excessive for an AI chatbot. Root detection is frequently justified in DRM-protected streaming services, where security and material defense are critical, or in competitive video games to avoid unfaithful. However, there is no clear rationale for such rigorous measures in an application of this nature, raising additional concerns about its intent.
  
  Users and wiki.asexuality.org companies thinking about installing DeepSeek ought to understand these possible threats. If this application is being used within an enterprise or federal government environment, additional vetting and security controls need to be implemented before allowing its release on handled devices.
  
  Disclaimer: The analysis provided in this report is based upon static code review and does not imply that all detected functions are actively utilized. Further examination is needed for conclusive conclusions.