Static Analysis Of The DeepSeek Android App

I performed a fixed analysis of DeepSeek, a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The goal was to determine potential security and personal privacy issues.


I have actually discussed DeepSeek previously here.


Additional security and privacy concerns about DeepSeek have been raised.


See also this analysis by NowSecure of the iPhone variation of DeepSeek


The findings detailed in this report are based simply on static analysis. This implies that while the code exists within the app, there is no conclusive evidence that all of it is performed in practice. Nonetheless, the presence of such code warrants scrutiny, bphomesteading.com specifically given the growing issues around information personal privacy, surveillance, the prospective abuse of AI-driven applications, and cyber-espionage dynamics between international powers.


Key Findings


Suspicious Data Handling & Exfiltration


- Hardcoded URLs direct data to external servers, raising concerns about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the iPhone app yesterday as well.
- Bespoke encryption and data obfuscation approaches are present, with indications that they might be used to exfiltrate user details.
- The app contains hard-coded public secrets, instead of counting on the user gadget's chain of trust.
- UI interaction tracking records detailed user habits without clear consent.
- WebView adjustment is present, which could permit the app to gain access to personal external web browser information when links are opened. More details about WebView adjustments is here


Device Fingerprinting & Tracking


A significant portion of the examined code appears to focus on event device-specific details, which can be utilized for tracking and fingerprinting.


- The app gathers numerous unique device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and carrier details.
- System properties, set up bundles, videochatforum.ro and root detection systems recommend potential anti-tampering measures. E.g. probes for the presence of Magisk, a tool that privacy supporters and security scientists use to root their Android devices.
- Geolocation and links.gtanet.com.br network profiling are present, suggesting possible tracking capabilities and enabling or disabling of fingerprinting regimes by region.
- Hardcoded gadget design lists recommend the application might behave differently depending on the identified hardware.
- Multiple vendor-specific services are used to extract additional device details. E.g. if it can not determine the device through basic Android SIM lookup (because consent was not approved), it attempts manufacturer particular extensions to access the exact same details.


Potential Malware-Like Behavior


While no definitive conclusions can be drawn without vibrant analysis, several observed habits line up with known spyware and malware patterns:


- The app uses reflection and UI overlays, which might assist in unauthorized screen capture or phishing attacks.
- SIM card details, identification numbers, and other device-specific information are aggregated for unknown purposes.
- The app implements country-based gain access to constraints and "risk-device" detection, recommending possible surveillance mechanisms.
- The app carries out calls to pack Dex modules, where extra code is packed from files with a.so extension at runtime.
- The.so files themselves and make extra calls to dlopen(), which can be utilized to load additional.so files. This center is not generally examined by Google Play Protect and other static analysis services.
- The.so files can be implemented in native code, such as C++. The usage of native code adds a layer of complexity to the analysis procedure and obscures the complete level of the app's capabilities. Moreover, native code can be leveraged to more quickly escalate opportunities, potentially making use of vulnerabilities within the os or gadget hardware.


Remarks


While data collection prevails in contemporary applications for debugging and improving user experience, aggressive fingerprinting raises considerable personal privacy concerns. The DeepSeek app needs users to log in with a legitimate email, which should already offer sufficient authentication. There is no legitimate factor for the app to strongly collect and transfer unique gadget identifiers, lespoetesbizarres.free.fr IMEI numbers, SIM card details, and wakewiki.de other non-resettable system properties.


The degree of tracking observed here goes beyond normal analytics practices, potentially making it possible for relentless user tracking and re-identification throughout gadgets. These behaviors, integrated with obfuscation methods and network interaction with third-party tracking services, call for a greater level of examination from security researchers and users alike.


The employment of runtime code packing as well as the bundling of native code recommends that the app might permit the implementation and execution of unreviewed, remotely provided code. This is a severe prospective attack vector. No evidence in this report is provided that remotely released code execution is being done, just that the facility for this appears present.


Additionally, the app's method to identifying rooted gadgets appears excessive for an AI chatbot. Root detection is often warranted in DRM-protected streaming services, where security and content security are critical, akropolistravel.com or in competitive computer game to avoid unfaithful. However, there is no clear rationale for such stringent procedures in an application of this nature, raising additional concerns about its intent.


Users and organizations considering installing DeepSeek ought to be conscious of these possible dangers. If this application is being utilized within a business or government environment, experienciacortazar.com.ar extra vetting and security controls should be enforced before allowing its deployment on handled gadgets.


Disclaimer: The analysis presented in this report is based upon fixed code review and does not indicate that all found functions are actively used. Further investigation is required for conclusive conclusions.