I performed a static analysis of DeepSeek, a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The objective was to recognize potential security and personal privacy problems.
I have actually discussed DeepSeek previously here.
Additional security and personal privacy issues about DeepSeek have actually been raised.
See also this analysis by NowSecure of the iPhone variation of DeepSeek
The findings detailed in this report are based purely on static analysis. This means that while the code exists within the app, there is no definitive evidence that all of it is carried out in practice. Nonetheless, the existence of such code warrants examination, especially offered the growing concerns around information personal privacy, monitoring, the prospective misuse of AI-driven applications, and cyber-espionage characteristics between international powers.
Key Findings
Suspicious Data Handling & Exfiltration
- Hardcoded URLs direct information to external servers, raising issues about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure identifies these in the iPhone app yesterday also.
- Bespoke file encryption and data obfuscation techniques are present, with signs that they could be used to exfiltrate user details.
- The app contains hard-coded public secrets, instead of counting on the user device's chain of trust.
- UI interaction tracking records detailed user habits without clear authorization.
- WebView control is present, which might permit the app to gain access to private external browser data when links are opened. More details about WebView manipulations is here
Device Fingerprinting & Tracking
A substantial portion of the analyzed code appears to focus on gathering device-specific details, which can be used for tracking and fingerprinting.
- The app gathers numerous unique device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and provider details. - System residential or commercial properties, set up plans, and root detection systems suggest possible anti-tampering procedures. E.g. probes for the existence of Magisk, a tool that personal privacy supporters and bbarlock.com security scientists utilize to root their Android devices.
- Geolocation and network profiling exist, wiki.piratenpartei.de suggesting prospective tracking capabilities and allowing or disabling of fingerprinting programs by region.
- Hardcoded device design lists recommend the application might act differently depending on the spotted hardware.
- Multiple vendor-specific services are used to extract extra device details. E.g. if it can not identify the device through standard Android SIM lookup (because approval was not granted), it attempts manufacturer specific extensions to access the exact same details.
Potential Malware-Like Behavior
While no definitive conclusions can be drawn without dynamic analysis, several observed habits align with known spyware and malware patterns:
- The app utilizes reflection and UI overlays, which could assist in unapproved screen capture or phishing attacks. - SIM card details, identification numbers, yogicentral.science and other device-specific data are aggregated for unidentified functions.
- The app executes country-based gain access to constraints and "risk-device" detection, recommending possible security mechanisms.
- The app executes calls to fill Dex modules, where additional code is packed from files with a.so extension at runtime.
- The.so submits themselves reverse and setiathome.berkeley.edu make extra calls to dlopen(), which can be utilized to load additional.so files. This center is not usually examined by Google Play Protect and other fixed analysis services.
- The.so files can be executed in native code, such as C++. Using native code adds a layer of intricacy to the analysis procedure and obscures the full level of the app's abilities. Moreover, native code can be leveraged to more quickly intensify opportunities, potentially exploiting vulnerabilities within the os or gadget hardware.
Remarks
While data collection prevails in modern applications for debugging and enhancing user experience, aggressive fingerprinting raises significant privacy concerns. The DeepSeek app requires users to log in with a legitimate email, which need to already provide sufficient authentication. There is no valid factor for the app to strongly collect and transmit distinct device identifiers, IMEI numbers, SIM card details, and other non-resettable system properties.
The extent of tracking observed here exceeds typical analytics practices, agora-antikes.gr potentially enabling persistent user and re-identification across devices. These habits, combined with obfuscation techniques and network communication with third-party tracking services, call for a greater level of scrutiny from security scientists and users alike.
The work of runtime code loading along with the bundling of native code suggests that the app could allow the release and execution of unreviewed, [users.atw.hu](http://users.atw.hu/samp-info-forum/index.php?PHPSESSID=f48a03d578093c3f17f5a665759a48fe&action=profile