danzaura

anitapartridge/danzaura

I performed a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing variation 1.8.0 from the Google Play Store. The objective was to determine possible security and privacy problems.

I've composed about DeepSeek formerly here.

Additional security and privacy concerns about DeepSeek have been raised.

See also this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based purely on fixed analysis. This suggests that while the code exists within the app, there is no definitive evidence that all of it is carried out in practice. Nonetheless, the existence of such code warrants examination, specifically provided the growing concerns around data personal privacy, monitoring, the prospective misuse of AI -driven applications, and cyber-espionage dynamics between worldwide powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct data to external servers, raising concerns about user activity monitoring, setiathome.berkeley.edu such as to ByteDance "volce.com" endpoints. NowSecure recognizes these in the iPhone app the other day as well.

Bespoke file encryption and data obfuscation methods exist, with signs that they could be used to exfiltrate user details.
The app contains hard-coded public keys, instead of counting on the user gadget's chain of trust.
UI interaction tracking catches detailed user habits without clear approval.
WebView manipulation is present, which could enable the app to gain access to private external web browser data when links are opened. More details about WebView manipulations is here

Device Fingerprinting & Tracking

A significant part of the evaluated code appears to focus on event device-specific details, which can be used for tracking and fingerprinting.

- The app gathers numerous distinct gadget identifiers, consisting of UDID, Android ID, IMEI, surgiteams.com IMSI, and provider details.
System homes, installed plans, and root detection mechanisms recommend potential anti-tampering procedures. E.g. probes for the existence of Magisk, a tool that personal privacy advocates and security scientists use to root their Android devices.
Geolocation and network profiling are present, indicating prospective tracking abilities and allowing or disabling of fingerprinting programs by region. - Hardcoded gadget model lists the application might behave in a different way depending on the discovered hardware.
Multiple vendor-specific services are used to draw out additional device details. E.g. if it can not determine the device through basic Android SIM lookup (since approval was not granted), it attempts manufacturer specific extensions to access the exact same details.

Potential Malware-Like Behavior

While no definitive conclusions can be drawn without dynamic analysis, a number of observed habits line up with recognized spyware and malware patterns:

- The app uses reflection and UI overlays, which might help with unauthorized screen capture or phishing attacks.
SIM card details, serial numbers, and other device-specific information are aggregated for unidentified purposes.
The app implements country-based gain access to constraints and "risk-device" detection, recommending possible monitoring mechanisms.
The app implements calls to load Dex modules, where additional code is packed from files with a.so extension at runtime.
The.so files themselves reverse and asteroidsathome.net make extra calls to dlopen(), which can be used to pack additional.so files. This facility is not usually inspected by Google Play Protect and other fixed analysis services.
The.so files can be executed in native code, such as C++. The use of native code includes a layer of complexity to the analysis procedure and obscures the full level of the app's capabilities. Moreover, native code can be leveraged to more easily intensify benefits, possibly exploiting vulnerabilities within the operating system or device hardware.

Remarks

While information collection prevails in modern applications for debugging and improving user experience, aggressive fingerprinting raises significant personal privacy issues. The DeepSeek app needs users to visit with a legitimate email, which should already offer sufficient authentication. There is no legitimate reason for the app to strongly collect and send special gadget identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.

The level of tracking observed here goes beyond typical analytics practices, potentially allowing consistent user tracking and re-identification across devices. These habits, valetinowiki.racing combined with obfuscation methods and setiathome.berkeley.edu network communication with third-party tracking services, require a higher level of examination from security scientists and users alike.

The employment of runtime code packing in addition to the bundling of native code recommends that the app could permit the deployment and execution of unreviewed, remotely provided code. This is a serious possible attack vector. No proof in this report exists that remotely released code execution is being done, just that the center for this appears present.

Additionally, the app's technique to detecting rooted devices appears excessive for an AI chatbot. Root detection is often justified in DRM-protected streaming services, where security and material protection are crucial, or in competitive computer game to prevent unfaithful. However, there is no clear reasoning for such rigorous steps in an application of this nature, raising more questions about its intent.

Users and companies considering setting up DeepSeek must understand these potential risks. If this application is being utilized within an enterprise or government environment, extra vetting and security controls must be imposed before enabling its deployment on managed gadgets.

Disclaimer: The analysis presented in this report is based upon static code evaluation and does not suggest that all found functions are actively used. Further investigation is required for definitive conclusions.