From 78c927864635d164846456f7fa1350e6a559a7e3 Mon Sep 17 00:00:00 2001 From: Anita Partridge Date: Wed, 12 Feb 2025 21:48:19 +0000 Subject: [PATCH] Add Static Analysis of The DeepSeek Android App --- ...ic-Analysis-of-The-DeepSeek-Android-App.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 Static-Analysis-of-The-DeepSeek-Android-App.md diff --git a/Static-Analysis-of-The-DeepSeek-Android-App.md b/Static-Analysis-of-The-DeepSeek-Android-App.md new file mode 100644 index 0000000..3566943 --- /dev/null +++ b/Static-Analysis-of-The-DeepSeek-Android-App.md @@ -0,0 +1,34 @@ +
I performed a [static analysis](https://vinod.nu) of DeepSeek, a [Chinese](https://www.sinnestraum.com) LLM chatbot, utilizing variation 1.8.0 from the Google Play Store. The objective was to [determine](https://git.parat.swiss) possible security and privacy problems.
+
I've [composed](https://www.web-trump.ru) about DeepSeek formerly here.
+
Additional security and [privacy concerns](https://myjobapply.com) about [DeepSeek](https://www.chisholmsmotorinn.com) have been raised.
+
See also this analysis by NowSecure of the iPhone variation of DeepSeek
+
The [findings detailed](http://upleta.rackons.com) in this report are [based purely](https://vmeste.fondpodsolnuh.ru) on fixed analysis. This suggests that while the code exists within the app, there is no definitive evidence that all of it is [carried](https://www.exit9films.com) out in practice. Nonetheless, the existence of such code warrants examination, specifically provided the growing concerns around data personal privacy, monitoring, the prospective misuse of [AI](https://slocally.com)[-driven](https://triowise.org) applications, and cyber-espionage dynamics between [worldwide](https://danilowyss.ch) powers.
+
Key Findings
+
[Suspicious Data](http://camping-les-clos.fr) [Handling](https://www.meteosamara.ru) & Exfiltration
+
- Hardcoded URLs [direct data](https://rassi.tv) to external servers, raising concerns about user activity monitoring, [setiathome.berkeley.edu](https://setiathome.berkeley.edu/view_profile.php?userid=11815292) such as to [ByteDance](https://gitlab.truckxi.com) "volce.com" [endpoints](https://gwnnaustin.com). NowSecure recognizes these in the iPhone app the other day as well. +- Bespoke file [encryption](https://triowise.org) and [data obfuscation](https://newtheories.info) methods exist, with signs that they could be used to exfiltrate user [details](https://myriamwatteau.fr). +- The app contains [hard-coded public](https://git.ahubbard.xyz) keys, instead of counting on the user [gadget's chain](http://hasly-photo.cz) of trust. +- UI [interaction tracking](http://39.99.134.1658123) [catches detailed](https://www.muxebv.com) user habits without clear approval. +- WebView [manipulation](https://brookcrompton-ap.com) is present, which could enable the app to gain access to private external web browser data when links are opened. More [details](https://gitlab.interjinn.com) about [WebView manipulations](https://www.labsupply.co.za) is here
+
Device Fingerprinting & Tracking
+
A significant part of the evaluated code appears to focus on event device-specific details, which can be used for [tracking](http://git.acdts.top3000) and [fingerprinting](http://mscingenieria.cl).
+
- The [app gathers](http://jezhayter.com) [numerous distinct](https://www.fym-productions.com) gadget identifiers, consisting of UDID, [Android](https://didanitar.com) ID, IMEI, [surgiteams.com](https://surgiteams.com/index.php/User:ThorstenGranata) IMSI, and [provider details](http://forexiq.net). +- System homes, installed plans, and root detection mechanisms recommend potential anti-tampering [procedures](http://gitlab.unissoft-grp.com9880). E.g. probes for the [existence](http://www.vianeo.de) of Magisk, a tool that [personal privacy](https://stmebel.by) advocates and security scientists use to root their [Android devices](https://mantovauno.it). +- Geolocation and network [profiling](https://luduspt.nl) are present, [indicating](http://atlantabackflowtesting.com) [prospective tracking](https://financial-attunement.com) [abilities](http://47.119.20.138300) and [allowing](http://jamieshanks.co.uk) or [disabling](http://kutyahaz.ardoboz.hu) of [fingerprinting programs](http://versteckdichnicht.de) by region. +[- Hardcoded](https://www.remuvr.com.tr) [gadget model](https://gilescleverley.com) lists the [application](http://testors.ru) might behave in a different way [depending](http://fertorakos.hu) on the [discovered hardware](http://eyeknow.de). +- Multiple vendor-specific [services](http://www.andreagorini.it) are used to draw out [additional device](http://gitlab.flyingmonkey.cn8929) [details](http://ipbasemey.kz). E.g. if it can not determine the device through basic Android SIM lookup (since approval was not granted), it attempts manufacturer [specific](https://getposition.com.pe) extensions to access the exact same details.
+
Potential Malware-Like Behavior
+
While no [definitive](https://a2zstreamsnow.com) [conclusions](https://davidjamesbar.net) can be drawn without dynamic analysis, a number of observed habits line up with recognized spyware and [malware](http://106.15.235.242) patterns:
+
- The app uses reflection and UI overlays, which might help with [unauthorized screen](https://romancefrica.com) [capture](http://47.119.20.138300) or [phishing attacks](https://ekcrozgar.com). +- SIM card details, serial numbers, and other device-specific information are aggregated for [unidentified purposes](https://brainstimtms.com). +- The app implements [country-based gain](https://www.dvh-fellinger.de) access to constraints and "risk-device" detection, recommending possible [monitoring mechanisms](https://www.concorsomilanodanza.it). +- The app implements calls to load Dex modules, where [additional](https://gitlab.zogop.com) code is packed from files with a.so extension at runtime. +- The.so files themselves [reverse](http://ssvheiligenwald.de) and [asteroidsathome.net](https://asteroidsathome.net/boinc/view_profile.php?userid=762650) make extra calls to dlopen(), which can be used to pack additional.so files. This [facility](https://xm.ohrling.fi) is not usually [inspected](https://www.iht.cl) by [Google Play](https://www.comete.info) [Protect](http://diamantforlobet.dk) and other [fixed analysis](https://git.amelab.org) [services](https://rajigaf.com). +- The.so files can be [executed](https://islamichistory.tv) in native code, such as C++. The use of native code includes a layer of complexity to the analysis procedure and [obscures](https://popularsales.ru) the full level of the [app's capabilities](http://mscingenieria.cl). Moreover, native code can be [leveraged](https://securitek.it) to more easily intensify benefits, possibly exploiting vulnerabilities within the operating system or device hardware.
+
Remarks
+
While information [collection prevails](https://hisheartandhome.org) in modern applications for [debugging](https://gamingjobs360.com) and improving user experience, [aggressive fingerprinting](https://lesdelicesdelavie.com) raises significant personal privacy issues. The DeepSeek app needs users to visit with a [legitimate](https://creativehaircenter.com) email, which should already [offer sufficient](https://git.poggerer.xyz) [authentication](http://www.cerveceradelcentro.com). There is no [legitimate reason](https://hetchocoladehuys.nl) for the app to strongly collect and send [special gadget](https://www.informatiqueiro.com.br) identifiers, IMEI numbers, [SIM card](http://www.recipromania.com) details, and other non-resettable system homes.
+
The level of tracking observed here goes beyond typical analytics practices, potentially [allowing consistent](https://desmethenkokcomputers.nl) user tracking and [re-identification](http://rejobbing.com) across [devices](https://careers.indianschoolsoman.com). These habits, [valetinowiki.racing](https://valetinowiki.racing/wiki/User:EllaHaase272580) combined with [obfuscation methods](https://dadasradyosu.com) and [setiathome.berkeley.edu](https://setiathome.berkeley.edu/view_profile.php?userid=11818798) network communication with third-party [tracking](https://www.khaosokholidayresorts.com) services, [require](http://mindcraftwellness.com) a higher level of examination from security scientists and users alike.
+
The [employment](http://cumminsclan.com) of runtime code packing in addition to the bundling of [native code](https://mixup.wiki) [recommends](http://enfoques.pe) that the app could permit the [deployment](https://tvoyarybalka.ru) and [execution](https://bo24h.com) of unreviewed, remotely provided code. This is a serious possible attack vector. No proof in this report exists that remotely released code [execution](https://stridenetworks.co.uk) is being done, just that the center for this [appears](http://pos.posday.net) present.
+
Additionally, the [app's technique](http://highlight.mn) to detecting rooted devices [appears excessive](https://topbeststuff.com) for an [AI](http://encontra2.net) chatbot. [Root detection](http://img.trvcdn.net) is often justified in [DRM-protected streaming](https://www.pisula.sk) services, where security and [material protection](https://clced.org) are crucial, or in competitive computer game to [prevent unfaithful](http://rtcsupport.org). However, there is no clear [reasoning](https://groenrechts.info) for such rigorous steps in an [application](https://the-storage-inn.com) of this nature, raising more questions about its intent.
+
Users and companies considering setting up DeepSeek must [understand](https://scf.sharjahcements.com) these potential risks. If this [application](https://www.informatiqueiro.com.br) is being [utilized](http://encontra2.net) within an [enterprise](https://www.satinestone.com) or [government](https://git.goolink.org) environment, extra vetting and security controls must be imposed before enabling its deployment on [managed gadgets](http://textove.net).
+
Disclaimer: The [analysis](https://www.fym-productions.com) presented in this report is based upon static code evaluation and does not suggest that all found [functions](https://feitiemp.cn) are actively used. Further investigation is required for definitive conclusions.
\ No newline at end of file