Static Analysis of The DeepSeek Android App - gob

I carried out a static analysis of DeepSeek, sciencewiki.science a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The objective was to recognize possible security and privacy problems.

I have actually composed about DeepSeek previously here.

Additional security and privacy issues about DeepSeek have actually been raised.

See also this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on static analysis. This indicates that while the code exists within the app, there is no conclusive proof that all of it is carried out in practice. Nonetheless, the presence of such code warrants analysis, specifically provided the growing concerns around information personal privacy, monitoring, the potential abuse of AI -driven applications, kenpoguy.com and cyber-espionage characteristics in between global powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising issues about user activity tracking, disgaeawiki.info such as to ByteDance "volce.com" endpoints. NowSecure identifies these in the iPhone app yesterday also.

Bespoke encryption and data obfuscation techniques exist, with indicators that they could be utilized to exfiltrate user details.
The app contains hard-coded public secrets, rather than depending on the user gadget's chain of trust.
UI interaction tracking catches detailed user habits without clear approval. - WebView adjustment exists, which might allow for the app to gain access to personal external web browser data when links are opened. More details about WebView manipulations is here

Device Fingerprinting & Tracking

A considerable portion of the evaluated code appears to concentrate on event device-specific details, which can be utilized for tracking and fingerprinting.

- The app collects various distinct device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and carrier details.
System residential or commercial properties, installed plans, and root detection systems recommend prospective anti-tampering steps. E.g. probes for the existence of Magisk, a tool that personal privacy supporters and security researchers utilize to root their Android gadgets.
Geolocation and network profiling exist, suggesting possible tracking abilities and enabling or disabling of fingerprinting regimes by area. - Hardcoded device model lists recommend the application may behave differently depending upon the spotted hardware. - Multiple vendor-specific services are used to extract additional device details. E.g. if it can not identify the device through standard Android SIM lookup (because authorization was not approved), it tries manufacturer particular extensions to access the exact same details.

Potential Malware-Like Behavior

While no definitive conclusions can be drawn without vibrant analysis, several observed behaviors line up with recognized spyware and malware patterns:

- The app uses reflection and UI overlays, which could help with unapproved screen capture or phishing attacks.
SIM card details, serial numbers, and other device-specific information are aggregated for unknown purposes.
The app executes country-based gain access to constraints and "risk-device" detection, suggesting possible security mechanisms.
The app executes calls to pack Dex modules, where additional code is filled from files with a.so extension at runtime.
The.so files themselves turn around and make additional calls to dlopen(), which can be utilized to fill additional.so files. This facility is not usually examined by Google Play Protect and other fixed analysis services.
The.so files can be executed in native code, such as C++. Making use of native code includes a layer of complexity to the analysis process and obscures the complete degree of the app's capabilities. Moreover, native code can be leveraged to more quickly escalate opportunities, possibly exploiting vulnerabilities within the os or gadget hardware.

Remarks

While data collection prevails in modern-day applications for debugging and enhancing user experience, aggressive fingerprinting raises substantial privacy concerns. The DeepSeek app needs users to visit with a legitimate email, which must currently supply adequate authentication. There is no legitimate factor for the app to aggressively gather and send unique gadget identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.

The extent of tracking observed here exceeds common analytics practices, potentially enabling persistent user tracking and re-identification throughout devices. These behaviors, integrated with obfuscation techniques and network communication with third-party tracking services, call for a higher level of scrutiny from security researchers and users alike.

The employment of runtime code packing along with the bundling of native code suggests that the app could enable the deployment and execution of unreviewed, remotely provided code. This is a severe possible attack vector. No evidence in this report is presented that code execution is being done, humanlove.stream only that the center for this appears present.

Additionally, the app's technique to discovering rooted devices appears excessive for an AI chatbot. Root detection is frequently warranted in DRM-protected streaming services, where security and material protection are important, or in competitive video games to avoid unfaithful. However, there is no clear rationale for such rigorous procedures in an application of this nature, raising further concerns about its intent.

Users and companies considering setting up DeepSeek ought to understand these possible threats. If this application is being utilized within an enterprise or government environment, extra vetting and security controls must be implemented before permitting its implementation on managed devices.

Disclaimer: wiki.vst.hs-furtwangen.de The analysis provided in this report is based upon fixed code evaluation and does not imply that all found functions are actively utilized. Further investigation is needed for definitive conclusions.