cubed-l

I conducted a fixed analysis of DeepSeek, a Chinese LLM chatbot, using version 1.8.0 from the Google Play Store. The goal was to determine potential security and personal privacy issues.

I have actually discussed DeepSeek previously here.

Additional security and privacy concerns about DeepSeek have actually been raised.

See also this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based purely on static analysis. This suggests that while the code exists within the app, there is no conclusive evidence that all of it is executed in practice. Nonetheless, the existence of such code warrants scrutiny, disgaeawiki.info especially given the growing concerns around data personal privacy, bytes-the-dust.com monitoring, the prospective misuse of AI -driven applications, and cyber-espionage dynamics between worldwide powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct data to external servers, raising concerns about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the iPhone app the other day as well.

Bespoke encryption and information obfuscation approaches exist, with indications that they could be utilized to user details.
The app contains hard-coded public keys, sitiosecuador.com instead of relying on the user device's chain of trust.
UI interaction tracking captures detailed user habits without clear approval. - WebView adjustment exists, which could permit for the app to gain access to private external browser data when links are opened. More details about WebView adjustments is here

Device Fingerprinting & Tracking

A considerable part of the evaluated code appears to focus on event device-specific details, which can be utilized for tracking and fingerprinting.

- The app gathers various unique device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and carrier details.
System properties, set up bundles, and root detection systems suggest possible anti-tampering procedures. E.g. probes for the presence of Magisk, a tool that privacy supporters and security researchers use to root their Android gadgets. - Geolocation and network profiling exist, suggesting prospective tracking abilities and enabling or disabling of fingerprinting regimes by region. - Hardcoded gadget model lists recommend the application may behave in a different way depending upon the found hardware.
Multiple vendor-specific services are used to draw out extra gadget details. E.g. if it can not figure out the gadget through basic Android SIM lookup (due to the fact that approval was not granted), it tries maker particular extensions to access the exact same details.

Potential Malware-Like Behavior

While no definitive conclusions can be drawn without dynamic analysis, a number of observed habits align with recognized spyware and malware patterns:

- The app uses reflection and UI overlays, which might facilitate unauthorized screen capture or phishing attacks.
SIM card details, serial numbers, classihub.in and other device-specific information are aggregated for unknown purposes.
The app implements country-based gain access to constraints and "risk-device" detection, suggesting possible surveillance mechanisms.
The app implements calls to pack Dex modules, where extra code is loaded from files with a.so extension at runtime.
The.so files themselves reverse and make extra calls to dlopen(), which can be utilized to fill additional.so files. This facility is not generally examined by Google Play Protect and asteroidsathome.net other static analysis services.
The.so files can be implemented in native code, such as C++. Making use of native code includes a layer of intricacy to the analysis process and obscures the complete level of the app's abilities. Moreover, native code can be leveraged to more easily intensify opportunities, possibly exploiting vulnerabilities within the os or gadget hardware.

Remarks

While data collection prevails in modern-day applications for debugging and enhancing user experience, aggressive fingerprinting raises substantial privacy issues. The DeepSeek app requires users to log in with a valid email, which should currently supply sufficient authentication. There is no valid reason for the app to aggressively collect and transmit distinct device identifiers, IMEI numbers, SIM card details, and other non-resettable system properties.

The level of tracking observed here goes beyond common analytics practices, possibly allowing relentless user tracking and re-identification throughout devices. These behaviors, combined with obfuscation methods and network communication with third-party tracking services, call for a greater level of scrutiny from security researchers and users alike.

The employment of runtime code filling in addition to the bundling of native code suggests that the app might enable the release and execution of unreviewed, from another location provided code. This is a serious prospective attack vector. No evidence in this report exists that remotely released code execution is being done, only that the center for this appears present.

Additionally, the app's approach to spotting rooted devices appears excessive for an AI chatbot. Root detection is frequently warranted in DRM-protected streaming services, where security and content protection are important, or in competitive video games to avoid unfaithful. However, there is no clear rationale for such rigorous procedures in an application of this nature, raising additional questions about its intent.

Users and organizations considering installing DeepSeek needs to understand these possible threats. If this application is being used within a business or federal government environment, additional vetting and security controls should be enforced before permitting its implementation on handled devices.

Disclaimer: The analysis provided in this report is based on fixed code review and does not indicate that all found functions are actively used. Further examination is needed for conclusive conclusions.