flexopmaat

I carried out a fixed analysis of DeepSeek, a Chinese LLM chatbot, utilizing variation 1.8.0 from the Google Play Store. The goal was to recognize potential security and privacy issues.

I have actually written about DeepSeek formerly here.

Additional security and personal privacy issues about DeepSeek have actually been raised.

See also this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on static analysis. This indicates that while the code exists within the app, there is no definitive proof that all of it is executed in practice. Nonetheless, the presence of such code warrants examination, especially provided the growing issues around information privacy, surveillance, photorum.eclat-mauve.fr the prospective abuse of AI -driven applications, and cyber-espionage characteristics between international powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising issues about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the iPhone app yesterday too. - Bespoke file encryption and information obfuscation methods exist, with signs that they might be utilized to exfiltrate user details.

The app contains hard-coded public secrets, instead of relying on the user gadget's chain of trust.
UI interaction tracking captures detailed user behavior without clear approval. - WebView control is present, which could permit the app to gain access to personal external browser data when links are opened. More details about WebView adjustments is here

Device Fingerprinting & Tracking

A substantial portion of the examined code appears to concentrate on event device-specific details, which can be utilized for tracking and fingerprinting.

- The app gathers numerous special gadget identifiers, consisting of UDID, Android ID, IMEI, IMSI, and carrier details.
System properties, set up bundles, and root detection mechanisms suggest potential anti-tampering steps. E.g. probes for the presence of Magisk, a tool that personal privacy supporters and security scientists use to root their Android devices. - Geolocation and network profiling exist, showing prospective tracking capabilities and making it possible for or disabling of fingerprinting routines by area.
Hardcoded gadget design lists suggest the may behave in a different way depending on the detected hardware. - Multiple vendor-specific services are utilized to draw out extra gadget details. E.g. if it can not determine the device through basic Android SIM lookup (since approval was not given), it attempts manufacturer specific extensions to access the same details.

Potential Malware-Like Behavior

While no definitive conclusions can be drawn without dynamic analysis, a number of observed behaviors align with known spyware and malware patterns:

- The app utilizes reflection and UI overlays, which could assist in unauthorized screen capture or phishing attacks.
SIM card details, identification numbers, and other device-specific data are aggregated for unidentified purposes.
The app implements country-based gain access to constraints and "risk-device" detection, suggesting possible surveillance mechanisms.
The app executes calls to fill Dex modules, where additional code is packed from files with a.so extension at runtime.
The.so files themselves turn around and make extra calls to dlopen(), which can be used to load additional.so files. This facility is not typically examined by Google Play Protect and other static analysis services.
The.so files can be carried out in native code, such as C++. Making use of native code includes a layer of intricacy to the analysis procedure and obscures the full extent of the app's capabilities. Moreover, native code can be leveraged to more easily escalate benefits, possibly making use of vulnerabilities within the os or device hardware.

Remarks

While information collection prevails in modern applications for debugging and enhancing user experience, aggressive fingerprinting raises substantial privacy issues. The DeepSeek app requires users to visit with a valid email, which should already offer adequate authentication. There is no valid factor for the app to aggressively gather and send special device identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.

The extent of tracking observed here exceeds common analytics practices, potentially enabling relentless user tracking and re-identification across gadgets. These habits, integrated with obfuscation techniques and network communication with third-party tracking services, require a greater level of examination from security scientists and users alike.

The work of runtime code packing as well as the bundling of native code suggests that the app could allow the release and execution of unreviewed, remotely delivered code. This is a serious potential attack vector. No evidence in this report is provided that remotely released code execution is being done, only that the facility for this appears present.

Additionally, the app's approach to detecting rooted devices appears extreme for an AI chatbot. Root detection is often justified in DRM-protected streaming services, where security and material defense are crucial, or in competitive computer game to avoid unfaithful. However, there is no clear reasoning for such rigorous procedures in an application of this nature, raising additional questions about its intent.

Users and organizations considering setting up DeepSeek ought to understand these potential dangers. If this application is being utilized within a business or federal government environment, extra vetting and security controls need to be enforced before permitting its release on managed devices.

Disclaimer: The analysis provided in this report is based on fixed code evaluation and does not suggest that all found functions are actively utilized. Further examination is required for definitive conclusions.