Static Analysis of The DeepSeek Android App

I performed a fixed analysis of DeepSeek, a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The goal was to recognize prospective security and personal privacy issues.

I have actually blogged about DeepSeek formerly here.

Additional security and personal privacy concerns about DeepSeek have actually been raised.

See likewise this analysis by NowSecure of the iPhone version of DeepSeek

The findings detailed in this report are based purely on fixed analysis. This indicates that while the code exists within the app, there is no definitive evidence that all of it is carried out in practice. Nonetheless, the existence of such code warrants analysis, specifically given the growing concerns around information personal privacy, monitoring, the potential misuse of AI-driven applications, and cyber-espionage characteristics in between international powers.

Key Findings

Suspicious Data Handling & Exfiltration

– Hardcoded URLs direct information to external servers, raising issues about user activity monitoring, such as to ByteDance „volce.com“ endpoints. NowSecure determines these in the iPhone app yesterday as well.
– Bespoke encryption and information obfuscation approaches are present, with signs that they could be utilized to exfiltrate user details.
– The app contains hard-coded public secrets, rather than relying on the user device’s chain of trust.
– UI interaction tracking user behavior without clear consent.
– WebView adjustment exists, which could enable the app to gain access to private external web browser data when links are opened. More details about WebView controls is here

Device Fingerprinting & Tracking

A significant part of the analyzed code appears to concentrate on gathering device-specific details, which can be utilized for tracking and fingerprinting.

– The app collects numerous unique device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and provider details.
– System homes, set up bundles, and root detection mechanisms suggest potential anti-tampering steps. E.g. probes for fakenews.win the existence of Magisk, a tool that privacy advocates and security scientists utilize to root their Android gadgets.
– Geolocation and network profiling are present, indicating potential tracking abilities and enabling or disabling of fingerprinting routines by region.
– Hardcoded gadget model lists recommend the application might act differently depending on the spotted hardware.
– Multiple vendor-specific services are utilized to draw out additional gadget details. E.g. if it can not identify the device through basic Android SIM lookup (due to the fact that consent was not granted), it attempts producer particular extensions to access the exact same details.

Potential Malware-Like Behavior

While no definitive conclusions can be drawn without dynamic analysis, several observed behaviors align with known spyware and malware patterns:

– The app utilizes reflection and UI overlays, which might assist in unapproved screen capture or phishing attacks.
– SIM card details, serial numbers, and other device-specific information are aggregated for unidentified functions.
– The app carries out country-based gain access to constraints and „risk-device“ detection, recommending possible surveillance systems.
– The app executes calls to pack Dex modules, where additional code is packed from files with a.so extension at runtime.
– The.so files themselves turn around and make extra calls to dlopen(), which can be utilized to load additional.so files. This facility is not usually checked by Google Play Protect and other static analysis services.
– The.so files can be executed in native code, such as C++. Using native code adds a layer of intricacy to the analysis process and obscures the complete level of the app’s abilities. Moreover, native code can be leveraged to more quickly intensify benefits, potentially exploiting vulnerabilities within the operating system or device hardware.

Remarks

While data collection prevails in modern applications for debugging and improving user experience, aggressive fingerprinting raises substantial personal privacy issues. The DeepSeek app requires users to visit with a valid email, which ought to already offer enough authentication. There is no legitimate reason for the app to aggressively gather and transfer distinct device identifiers, IMEI numbers, SIM card details, and other non-resettable system residential or commercial properties.

The level of tracking observed here goes beyond common analytics practices, possibly making it possible for relentless user tracking and larsaluarna.se re-identification across gadgets. These habits, combined with obfuscation methods and network communication with third-party tracking services, require a greater level of examination from security scientists and users alike.

The employment of runtime code loading in addition to the bundling of native code recommends that the app might permit the implementation and execution of unreviewed, remotely delivered code. This is a major potential attack vector. No evidence in this report exists that from another location released code execution is being done, only that the facility for this appears present.

Additionally, the app’s technique to discovering rooted devices appears extreme for an AI chatbot. Root detection is often justified in DRM-protected streaming services, where security and material protection are crucial, or in competitive video games to prevent unfaithful. However, there is no clear reasoning for such strict measures in an application of this nature, raising more questions about its intent.

Users and bbarlock.com companies considering installing DeepSeek should understand these possible threats. If this application is being used within a business or raovatonline.org government environment, extra vetting and security controls must be implemented before allowing its implementation on handled devices.

Disclaimer: The analysis provided in this report is based upon static code evaluation and does not imply that all found functions are actively utilized. Further examination is needed for conclusive conclusions.