I carried out a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The objective was to determine prospective security and personal privacy issues.

I’ve composed about DeepSeek formerly here.

Additional security and visualchemy.gallery personal privacy concerns about DeepSeek have actually been raised.

See likewise this analysis by NowSecure of the iPhone version of DeepSeek

The findings detailed in this report are based purely on fixed analysis. This implies that while the code exists within the app, there is no conclusive proof that all of it is executed in practice. Nonetheless, the presence of such code warrants scrutiny, specifically provided the growing issues around data personal privacy, monitoring, the possible abuse of AI-driven applications, and cyber-espionage characteristics in between global powers.

Key Findings

Suspicious Data Handling & Exfiltration

– Hardcoded URLs direct data to external servers, raising concerns about user activity monitoring, such as to ByteDance «volce.com» endpoints. NowSecure recognizes these in the iPhone app yesterday too. – Bespoke file encryption and information obfuscation techniques exist, with indicators that they could be used to exfiltrate user details. – The app contains hard-coded public secrets, instead of relying on the user device’s chain of trust. – UI interaction tracking captures detailed user habits without clear permission. – WebView adjustment exists, which might permit the app to gain access to private external browser information when links are opened. More details about WebView manipulations is here

Device Fingerprinting & Tracking

A significant part of the analyzed code appears to focus on gathering device-specific details, which can be used for tracking and fingerprinting.

– The app collects various special gadget identifiers, consisting of UDID, Android ID, IMEI, IMSI, and provider details. – System residential or commercial properties, set up plans, and root detection systems recommend potential anti-tampering procedures. E.g. probes for the presence of Magisk, a tool that personal privacy supporters and security researchers use to root their Android devices. – Geolocation and network profiling are present, suggesting possible tracking abilities and allowing or disabling of fingerprinting routines by region. – Hardcoded device design lists recommend the application might behave differently depending upon the found hardware. – Multiple vendor-specific services are used to draw out additional gadget details. E.g. if it can not determine the device through standard Android SIM lookup (since permission was not granted), it attempts maker specific extensions to access the same details.

Potential Malware-Like Behavior

While no definitive conclusions can be drawn without vibrant analysis, numerous observed habits align with recognized spyware and malware patterns:

– The app uses reflection and UI overlays, which could facilitate unauthorized screen capture or phishing attacks. – SIM card details, serial numbers, and other device-specific data are aggregated for unidentified purposes. – The app executes country-based gain access to constraints and «risk-device» detection, suggesting possible surveillance systems. – The app executes calls to fill Dex modules, where additional code is packed from files with a.so extension at runtime. – The.so submits themselves turn around and make to dlopen(), which can be utilized to pack additional.so files. This facility is not generally examined by Google Play Protect and other fixed analysis services. – The.so files can be carried out in native code, such as C++. Using native code includes a layer of intricacy to the analysis procedure and obscures the full extent of the app’s abilities. Moreover, native code can be leveraged to more quickly intensify advantages, potentially exploiting vulnerabilities within the os or device hardware.

Remarks

While data collection prevails in contemporary applications for debugging and improving user experience, aggressive fingerprinting raises significant personal privacy concerns. The DeepSeek app needs users to visit with a legitimate email, which need to already offer enough authentication. There is no valid factor for the app to aggressively gather and transmit distinct device identifiers, IMEI numbers, SIM card details, and other non-resettable system properties.

The level of tracking observed here goes beyond common analytics practices, possibly enabling relentless user tracking and re-identification throughout gadgets. These behaviors, integrated with obfuscation techniques and network interaction with third-party tracking services, call for a greater level of scrutiny from security scientists and users alike.

The work of runtime code filling as well as the bundling of native code recommends that the app could permit the deployment and execution of unreviewed, remotely delivered code. This is a serious prospective attack vector. No proof in this report exists that remotely deployed code execution is being done, just that the center for this appears present.

Additionally, the app’s technique to finding rooted gadgets appears extreme for an AI chatbot. Root detection is typically justified in DRM-protected streaming services, where security and content defense are crucial, or in competitive video games to prevent unfaithful. However, there is no clear rationale for such strict procedures in an application of this nature, raising more questions about its intent.

Users and organizations thinking about installing DeepSeek should be conscious of these potential risks. If this application is being used within an enterprise or government environment, additional vetting and security controls ought to be enforced before permitting its release on handled gadgets.

Disclaimer: The analysis presented in this report is based on static code evaluation and does not imply that all discovered functions are actively utilized. Further examination is required for conclusive conclusions.