coral-sendai

I carried out a static analysis of DeepSeek, a Chinese LLM chatbot, using version 1.8.0 from the Google Play Store. The objective was to determine prospective security and privacy problems.

I've discussed DeepSeek formerly here.

Additional security and privacy concerns about DeepSeek have been raised.

See likewise this analysis by NowSecure of the iPhone version of DeepSeek

The findings detailed in this report are based simply on fixed analysis. This indicates that while the code exists within the app, there is no definitive evidence that all of it is executed in practice. Nonetheless, the presence of such code warrants examination, specifically given the growing concerns around information privacy, security, the possible abuse of AI -driven applications, and wiki.dulovic.tech cyber-espionage dynamics in between global powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising concerns about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the iPhone app the other day as well.

Bespoke file encryption and valetinowiki.racing information obfuscation techniques exist, with indicators that they could be used to exfiltrate user details.
The app contains hard-coded public secrets, fishtanklive.wiki rather than counting on the user device's chain of trust.
UI interaction tracking catches detailed user behavior without clear permission.
WebView adjustment is present, which could permit for the app to gain access to personal external internet browser information when links are opened. More details about WebView adjustments is here

Device Fingerprinting & Tracking

A considerable portion of the evaluated code appears to concentrate on event device-specific details, which can be used for tracking and fingerprinting.

- The app collects different unique gadget identifiers, including UDID, Android ID, IMEI, IMSI, and carrier details.
System properties, installed packages, and root detection systems recommend potential anti-tampering steps. E.g. probes for the existence of Magisk, a tool that personal privacy supporters and security researchers use to root their Android devices.
Geolocation and network profiling exist, indicating potential tracking abilities and making it possible for or disabling of fingerprinting routines by region.
Hardcoded device model lists suggest the application may behave in a different way depending upon the identified hardware.
Multiple vendor-specific services are used to draw out additional device details. E.g. if it can not identify the device through standard Android SIM lookup (since consent was not granted), it tries manufacturer specific extensions to access the exact same details.

Potential Malware-Like Behavior

While no conclusive conclusions can be drawn without dynamic analysis, several observed habits align with known spyware and malware patterns:

- The app utilizes reflection and UI overlays, which might facilitate unauthorized screen capture or phishing attacks.
SIM card details, serial numbers, and other device-specific information are aggregated for unidentified functions.
The app executes country-based gain access to constraints and "risk-device" detection, recommending possible security mechanisms.
The app carries out calls to fill Dex modules, where additional code is packed from files with a.so extension at runtime.
The.so files themselves turn around and make additional calls to dlopen(), demo.qkseo.in which can be utilized to load additional.so files. This facility is not generally examined by Google Play Protect and other static analysis services.
The.so files can be executed in native code, such as C++. The usage of native code adds a layer of intricacy to the analysis process and obscures the complete extent of the app's abilities. Moreover, native code can be leveraged to more easily intensify opportunities, possibly making use of vulnerabilities within the os or device hardware.

Remarks

While information collection prevails in modern-day applications for debugging and enhancing user experience, aggressive fingerprinting raises significant personal privacy issues. The DeepSeek app needs users to visit with a legitimate email, which must currently offer adequate authentication. There is no valid reason for the app to strongly collect and transmit distinct gadget identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.

The level of tracking observed here exceeds normal analytics practices, photorum.eclat-mauve.fr possibly making it possible for persistent user tracking and re-identification throughout devices. These habits, integrated with obfuscation strategies and network communication with third-party tracking services, require a greater level of scrutiny from security scientists and users alike.

The work of runtime code filling as well as the bundling of native code suggests that the app might allow the release and execution of unreviewed, remotely delivered code. This is a severe possible attack vector. No proof in this report is provided that from another location deployed code execution is being done, just that the facility for this appears present.

Additionally, the app's method to finding rooted devices appears extreme for an AI chatbot. Root detection is frequently justified in DRM-protected streaming services, where security and material security are important, or in competitive video games to avoid unfaithful. However, there is no clear reasoning for such rigorous steps in an application of this nature, raising further concerns about its intent.

Users and companies thinking about setting up DeepSeek ought to be aware of these possible dangers. If this application is being used within an enterprise or federal government environment, extra vetting and security controls need to be implemented before permitting its deployment on managed gadgets.

Disclaimer: The presented in this report is based on fixed code evaluation and does not indicate that all identified functions are actively used. Further examination is needed for conclusive conclusions.