jungdadam

I carried out a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The goal was to identify prospective security and privacy issues.

I've discussed DeepSeek formerly here.

Additional security and privacy issues about DeepSeek have been raised.

See also this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on fixed analysis. This suggests that while the code exists within the app, there is no definitive evidence that all of it is executed in practice. Nonetheless, the presence of such code warrants scrutiny, especially offered the growing issues around information personal privacy, surveillance, the possible abuse of AI -driven applications, and cyber-espionage characteristics between worldwide powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising issues about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the iPhone app yesterday too.

Bespoke encryption and data obfuscation approaches exist, with signs that they might be utilized to exfiltrate user details.
The app contains hard-coded public keys, rather than counting on the user device's chain of trust.
UI interaction tracking records detailed user habits without clear authorization. - WebView control is present, which could allow for the app to gain access to private external browser information when links are opened. More details about WebView controls is here

Device Fingerprinting & Tracking

A substantial portion of the examined code appears to concentrate on gathering device-specific details, which can be used for tracking and fingerprinting.

- The app collects numerous special device identifiers, including UDID, Android ID, IMEI, IMSI, and carrier details.
System residential or commercial properties, set up plans, and root detection systems suggest potential anti-tampering procedures. E.g. probes for the existence of Magisk, a tool that personal privacy advocates and security researchers use to root their Android gadgets.
Geolocation and network profiling exist, suggesting prospective tracking capabilities and making it possible for or disabling of fingerprinting programs by region.
Hardcoded gadget model lists suggest the application may act differently depending upon the found hardware.
Multiple vendor-specific services are utilized to extract extra device details. E.g. if it can not figure out the device through basic Android SIM lookup (since permission was not given), it tries maker specific extensions to access the same details.

Potential Malware-Like Behavior

While no conclusive conclusions can be drawn without dynamic analysis, yidtravel.com numerous observed habits line up with recognized spyware and malware patterns:

- The app utilizes reflection and UI overlays, pyra-handheld.com which could assist in unauthorized screen capture or phishing attacks.
SIM card details, identification numbers, and other device-specific information are aggregated for unidentified functions.
The app executes country-based gain access to constraints and "risk-device" detection, suggesting possible security systems.
The app carries out calls to fill Dex modules, where extra code is packed from files with a.so at runtime.
The.so submits themselves turn around and make additional calls to dlopen(), which can be utilized to pack additional.so files. This center is not normally examined by Google Play Protect and other static analysis services.
The.so files can be implemented in native code, such as C++. Making use of native code includes a layer of intricacy to the analysis procedure and obscures the full degree of the app's abilities. Moreover, native code can be leveraged to more quickly intensify opportunities, potentially making use of vulnerabilities within the operating system or device hardware.

Remarks

While information collection prevails in modern applications for debugging and enhancing user experience, aggressive fingerprinting raises substantial privacy issues. The DeepSeek app requires users to visit with a valid email, which should currently supply adequate authentication. There is no valid factor for the app to strongly collect and transmit special gadget identifiers, IMEI numbers, SIM card details, and other non-resettable system residential or commercial properties.

The extent of tracking observed here exceeds common analytics practices, possibly making it possible for relentless user tracking and re-identification across devices. These habits, combined with obfuscation methods and network interaction with third-party tracking services, call for a greater level of scrutiny from security scientists and users alike.

The work of runtime code filling as well as the bundling of native code recommends that the app could enable the implementation and execution of unreviewed, from another location provided code. This is a severe potential attack vector. No proof in this report is provided that from another location released code execution is being done, just that the facility for this appears present.

Additionally, the app's technique to discovering rooted devices appears excessive for an AI chatbot. Root detection is frequently justified in DRM-protected streaming services, where security and material security are vital, or in competitive video games to avoid unfaithful. However, there is no clear rationale for such rigorous procedures in an application of this nature, raising additional questions about its intent.

Users and organizations thinking about setting up DeepSeek ought to be aware of these prospective threats. If this application is being used within an enterprise or federal government environment, additional vetting and security controls need to be implemented before allowing its deployment on managed gadgets.

Disclaimer: The analysis provided in this report is based on fixed code evaluation and does not suggest that all identified functions are actively used. Further investigation is required for conclusive conclusions.