I performed a fixed analysis of DeepSeek, a Chinese LLM chatbot, utilizing variation 1.8.0 from the Google Play Store. The objective was to recognize potential security and privacy problems.

I’ve discussed DeepSeek previously here.

Additional security and personal privacy issues about DeepSeek have been raised.

See likewise this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on static analysis. This suggests that while the code exists within the app, there is no conclusive proof that all of it is executed in practice. Nonetheless, the existence of such code warrants scrutiny, specifically offered the growing issues around information privacy, monitoring, the possible misuse of AI-driven applications, and cyber-espionage characteristics between international powers.

Key Findings

Suspicious Data Handling & Exfiltration

– Hardcoded URLs direct information to external servers, raising concerns about user activity monitoring, akropolistravel.com such as to ByteDance «volce.com» endpoints. NowSecure identifies these in the iPhone app the other day too. – Bespoke encryption and data obfuscation approaches exist, with indications that they could be utilized to exfiltrate user details. – The app contains hard-coded public keys, rather than depending on the user gadget’s chain of trust. – UI interaction tracking captures detailed user behavior without clear permission. – WebView control exists, which could permit the app to gain access to private external browser data when links are opened. More details about WebView adjustments is here

Device Fingerprinting & Tracking

A substantial part of the evaluated code appears to concentrate on event device-specific details, which can be used for tracking and fingerprinting.

– The app gathers numerous unique device identifiers, including UDID, Android ID, IMEI, IMSI, and carrier details. – System properties, set up plans, and root detection systems suggest potential anti-tampering measures. E.g. probes for the existence of Magisk, a tool that privacy supporters and security researchers use to root their Android devices. – Geolocation and network profiling are present, indicating possible tracking capabilities and enabling or disabling of fingerprinting programs by area. – Hardcoded gadget design lists suggest the application may act differently depending on the found hardware. – Multiple vendor-specific services are used to draw out additional gadget details. E.g. if it can not figure out the device through basic Android SIM lookup (since authorization was not approved), it attempts manufacturer particular extensions to access the exact same details.

Potential Malware-Like Behavior

While no conclusive conclusions can be drawn without dynamic analysis, several observed behaviors align with known spyware and malware patterns:

– The app utilizes reflection and UI overlays, which might help with unapproved screen capture or phishing attacks. – SIM card details, serial numbers, and other device-specific information are aggregated for unidentified purposes. – The app implements country-based gain access to constraints and «risk-device» detection, suggesting possible monitoring mechanisms. – The app implements calls to pack Dex modules, where extra code is loaded from files with a.so extension at runtime. – The.so files themselves turn around and make extra calls to dlopen(), which can be utilized to load additional.so files. This facility is not typically checked by Google Play Protect and other fixed analysis services. – The.so files can be in native code, such as C++. The use of native code adds a layer of complexity to the analysis process and obscures the full degree of the app’s abilities. Moreover, native code can be leveraged to more quickly intensify opportunities, potentially making use of vulnerabilities within the operating system or device hardware.

Remarks

While information collection prevails in modern-day applications for debugging and enhancing user experience, aggressive fingerprinting raises significant personal privacy concerns. The DeepSeek app requires users to visit with a valid email, which should already provide sufficient authentication. There is no legitimate factor for the app to strongly collect and transfer special device identifiers, asteroidsathome.net IMEI numbers, SIM card details, oke.zone and other non-resettable system homes.

The extent of tracking observed here goes beyond common analytics practices, possibly making it possible for consistent user tracking and re-identification across gadgets. These behaviors, integrated with obfuscation strategies and network interaction with third-party tracking services, call for a greater level of examination from security researchers and users alike.

The work of runtime code loading along with the bundling of native code suggests that the app might allow the deployment and execution of unreviewed, remotely delivered code. This is a major prospective attack vector. No proof in this report is provided that remotely released code execution is being done, only that the facility for this appears present.

Additionally, the app’s method to identifying rooted gadgets appears excessive for an AI chatbot. Root detection is often warranted in DRM-protected streaming services, where security and content defense are crucial, or in competitive computer game to avoid unfaithful. However, there is no clear reasoning for such stringent measures in an application of this nature, raising more concerns about its intent.

Users and organizations considering setting up DeepSeek must be mindful of these potential risks. If this application is being utilized within a business or government environment, additional vetting and security controls ought to be implemented before permitting its implementation on managed gadgets.

Disclaimer: The analysis presented in this report is based upon fixed code evaluation and does not imply that all identified functions are actively used. Further examination is required for conclusive conclusions.