GitLab

I conducted a fixed analysis of DeepSeek, a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The goal was to determine prospective security and personal privacy problems.

I have actually blogged about DeepSeek formerly here.

Additional security and privacy concerns about DeepSeek have been raised.

See likewise this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on static analysis. This means that while the code exists within the app, there is no definitive proof that all of it is executed in practice. Nonetheless, the presence of such code warrants scrutiny, especially offered the growing issues around data privacy, surveillance, the possible abuse of AI-driven applications, and cyber-espionage dynamics in between international powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising concerns about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure recognizes these in the iPhone app the other day also.

• Bespoke encryption and data obfuscation methods are present, with indicators that they could be utilized to exfiltrate user details.
• The app contains hard-coded public keys, rather than relying on the user device's chain of trust.
• UI interaction tracking records detailed user habits without clear authorization. - WebView manipulation is present, which could permit the app to gain access to private external browser data when links are opened. More details about WebView controls is here
  
  Device Fingerprinting & Tracking
  
  A significant part of the examined code appears to focus on event device-specific details, which can be utilized for tracking and fingerprinting.
  
  - The different unique device identifiers, championsleage.review including UDID, Android ID, yewiki.org IMEI, IMSI, and carrier details.
• System properties, installed bundles, and root detection systems suggest possible anti-tampering steps. E.g. probes for the existence of Magisk, a tool that privacy advocates and security scientists use to root their Android gadgets.
• Geolocation and network profiling exist, indicating potential tracking capabilities and making it possible for or disabling of fingerprinting programs by region. - Hardcoded gadget design lists recommend the application might act differently depending on the spotted hardware. - Multiple vendor-specific services are used to draw out extra device details. E.g. if it can not determine the device through basic Android SIM lookup (since approval was not given), it tries manufacturer particular extensions to access the very same details.
  
  Potential Malware-Like Behavior
  
  While no conclusive conclusions can be drawn without dynamic analysis, several observed habits line up with known spyware and malware patterns:
  
  - The app utilizes reflection and UI overlays, which might help with unauthorized screen capture or phishing attacks.
• SIM card details, serial numbers, and other device-specific information are aggregated for unknown purposes.
• The app implements country-based gain access to constraints and "risk-device" detection, recommending possible monitoring systems.
• The app executes calls to fill Dex modules, where extra code is filled from files with a.so extension at runtime.
• The.so files themselves reverse and make extra calls to dlopen(), which can be utilized to pack additional.so files. This facility is not usually examined by Google Play Protect and other fixed analysis services.
• The.so files can be carried out in native code, such as C++. Making use of native code adds a layer of complexity to the analysis process and obscures the full extent of the app's abilities. Moreover, native code can be leveraged to more easily intensify advantages, possibly making use of vulnerabilities within the operating system or device hardware.
  
  Remarks
  
  While data collection prevails in modern applications for debugging and improving user experience, aggressive fingerprinting raises substantial privacy issues. The DeepSeek app requires users to visit with a valid email, forum.pinoo.com.tr which ought to already provide adequate authentication. There is no valid reason for the app to aggressively collect and transfer distinct device identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.
  
  The level of tracking observed here surpasses common analytics practices, potentially enabling persistent user tracking and re-identification across devices. These habits, combined with obfuscation methods and network communication with third-party tracking services, necessitate a greater level of analysis from security scientists and users alike.
  
  The employment of runtime code loading in addition to the bundling of native code recommends that the app might allow the release and execution of unreviewed, remotely delivered code. This is a major prospective attack vector. No proof in this report is provided that from another location deployed code execution is being done, only that the center for this appears present.
  
  Additionally, the app's approach to spotting rooted gadgets appears excessive for an AI chatbot. Root detection is frequently justified in DRM-protected streaming services, where security and material security are crucial, scientific-programs.science or in competitive video games to avoid unfaithful. However, there is no clear reasoning for such strict procedures in an application of this nature, raising additional questions about its intent.
  
  Users and companies considering installing DeepSeek ought to know these possible risks. If this application is being used within a business or federal government environment, extra vetting and security controls need to be implemented before enabling its release on managed gadgets.
  
  Disclaimer: The analysis presented in this report is based on static code evaluation and does not suggest that all discovered functions are actively used. Further examination is needed for conclusive conclusions.