apartamentosmiriam

I conducted a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The goal was to recognize potential security and privacy issues.

I have actually written about DeepSeek formerly here.

Additional security and privacy issues about DeepSeek have actually been raised.

See also this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based purely on fixed analysis. This suggests that while the code exists within the app, there is no conclusive evidence that all of it is executed in practice. Nonetheless, the presence of such code warrants examination, specifically given the growing issues around information privacy, security, the prospective abuse of AI-driven applications, and cyber-espionage characteristics in between worldwide powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct data to external servers, raising concerns about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure identifies these in the iPhone app yesterday also.

Bespoke file encryption and surgiteams.com information obfuscation techniques are present, with indicators that they could be used to exfiltrate user details.
The app contains hard-coded public keys, rather than depending on the user device's chain of trust.
UI interaction tracking captures detailed user behavior without clear approval. - WebView adjustment exists, which might permit the app to gain access to personal external browser data when links are opened. More details about WebView manipulations is here

Device Fingerprinting & Tracking

A considerable part of the evaluated code appears to focus on event device-specific details, which can be utilized for tracking and fingerprinting.

- The app collects numerous special gadget identifiers, photorum.eclat-mauve.fr consisting of UDID, Android ID, IMEI, IMSI, and provider details.
System homes, set up packages, and root detection mechanisms suggest potential anti-tampering steps. E.g. probes for the presence of Magisk, a tool that privacy advocates and security scientists use to root their Android devices.
Geolocation and network profiling exist, indicating possible tracking capabilities and allowing or disabling of fingerprinting programs by region. - Hardcoded device design lists recommend the application might act in a different way depending upon the identified hardware.
Multiple vendor-specific services are used to draw out extra gadget details. E.g. if it can not identify the gadget through standard Android SIM lookup (since approval was not granted), it attempts manufacturer specific extensions to access the very same details.

Potential Malware-Like Behavior

While no definitive conclusions can be drawn without dynamic analysis, several observed behaviors align with recognized spyware and malware patterns:

- The app utilizes reflection and UI overlays, which could assist in unauthorized screen capture or phishing attacks.
SIM card details, identification numbers, and other device-specific information are aggregated for unknown purposes.
The app carries out country-based gain access to constraints and "risk-device" detection, suggesting possible surveillance systems.
The app carries out calls to load Dex modules, where additional code is loaded from files with a.so extension at runtime.
The.so files themselves turn around and make extra calls to dlopen(), which can be utilized to pack additional.so files. This center is not normally examined by Google Play Protect and other fixed analysis services.
The.so files can be implemented in native code, such as C++. Using native code includes a layer of complexity to the analysis procedure and obscures the full extent of the app's abilities. Moreover, native code can be leveraged to more easily intensify privileges, potentially making use of vulnerabilities within the os or gadget hardware.

Remarks

While data collection prevails in modern applications for debugging and enhancing user experience, aggressive fingerprinting raises significant personal privacy concerns. The DeepSeek app needs users to visit with a legitimate email, which need to already supply adequate authentication. There is no legitimate factor for the app to strongly gather and transfer distinct gadget identifiers, IMEI numbers, details, and garagesale.es other non-resettable system properties.

The level of tracking observed here exceeds typical analytics practices, possibly enabling relentless user tracking and re-identification across gadgets. These behaviors, integrated with obfuscation methods and network interaction with third-party tracking services, call for a greater level of analysis from security scientists and users alike.

The employment of runtime code loading along with the bundling of native code suggests that the app might enable the implementation and execution of unreviewed, remotely provided code. This is a serious possible attack vector. No evidence in this report is provided that remotely deployed code execution is being done, king-wifi.win only that the facility for this appears present.

Additionally, the app's technique to detecting rooted devices appears extreme for an AI chatbot. Root detection is frequently warranted in DRM-protected streaming services, where security and content defense are critical, or in competitive video games to prevent unfaithful. However, there is no clear reasoning for forum.altaycoins.com such rigorous measures in an application of this nature, raising further questions about its intent.

Users and organizations considering installing DeepSeek should know these potential dangers. If this application is being used within a business or government environment, additional vetting and security controls need to be implemented before allowing its release on managed gadgets.

Disclaimer: The analysis presented in this report is based upon static code review and does not imply that all found functions are actively used. Further investigation is needed for definitive conclusions.