I performed a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The objective was to recognize prospective security and privacy problems.

I've written about DeepSeek previously here.

Additional security and privacy concerns about DeepSeek have been raised.

See likewise this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on static analysis. This suggests that while the code exists within the app, there is no definitive evidence that all of it is performed in practice. Nonetheless, the presence of such code warrants analysis, grandtribunal.org especially provided the growing issues around information personal privacy, surveillance, the possible abuse of AI-driven applications, and cyber-espionage dynamics between powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct data to external servers, raising concerns about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure identifies these in the iPhone app yesterday also.

• Bespoke encryption and data obfuscation techniques are present, with indicators that they might be utilized to exfiltrate user details.
• The app contains hard-coded public secrets, rather than counting on the user gadget's chain of trust.
• UI interaction tracking catches detailed user behavior without clear permission. - WebView adjustment is present, which might permit the app to gain access to personal external web browser information when links are opened. More details about WebView controls is here
  
  Device Fingerprinting & Tracking
  
  A significant portion of the examined code appears to concentrate on gathering device-specific details, which can be used for tracking and fingerprinting.
  
  - The app gathers various unique gadget identifiers, including UDID, Android ID, IMEI, IMSI, and carrier details.
• System properties, installed bundles, and root detection mechanisms recommend possible anti-tampering measures. E.g. probes for ura.cc the existence of Magisk, a tool that personal privacy advocates and security scientists use to root their Android gadgets.
• Geolocation and network profiling exist, pipewiki.org showing prospective tracking capabilities and allowing or disabling of fingerprinting routines by area.
• Hardcoded gadget design lists suggest the application may act differently depending upon the identified hardware.
• Multiple vendor-specific services are used to draw out additional device details. E.g. if it can not determine the device through basic Android SIM lookup (due to the fact that permission was not given), it attempts producer particular extensions to access the very same details.
  
  Potential Malware-Like Behavior
  
  While no definitive conclusions can be drawn without vibrant analysis, a number of observed habits align with known spyware and malware patterns:
  
  - The app utilizes reflection and UI overlays, which might assist in unapproved screen capture or phishing attacks.
• SIM card details, identification numbers, and other device-specific data are aggregated for unidentified functions.
• The app implements country-based gain access to constraints and "risk-device" detection, recommending possible surveillance systems.
• The app executes calls to pack Dex modules, where additional code is packed from files with a.so extension at runtime.
• The.so files themselves turn around and make extra calls to dlopen(), which can be used to pack additional.so files. This facility is not generally inspected by Google Play Protect and disgaeawiki.info other static analysis services.
• The.so files can be implemented in native code, such as C++. Using native code adds a layer of intricacy to the analysis process and obscures the full degree of the app's capabilities. Moreover, native code can be leveraged to more easily intensify advantages, potentially making use of vulnerabilities within the operating system or gadget hardware.
  
  Remarks
  
  While information collection prevails in modern applications for debugging and improving user experience, aggressive fingerprinting raises considerable privacy concerns. The DeepSeek app needs users to log in with a legitimate email, which ought to already supply sufficient authentication. There is no valid reason for the app to aggressively collect and wiki.vst.hs-furtwangen.de send special gadget identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.
  
  The degree of tracking observed here goes beyond common analytics practices, potentially enabling consistent user tracking and re-identification across gadgets. These habits, combined with obfuscation techniques and network interaction with third-party tracking services, require a greater level of examination from security researchers and users alike.
  
  The employment of runtime code loading in addition to the bundling of native code suggests that the app could allow the deployment and execution of unreviewed, remotely provided code. This is a severe prospective attack vector. No proof in this report exists that from another location released code execution is being done, only that the center for this appears present.
  
  Additionally, the app's approach to finding rooted devices appears excessive for an AI chatbot. Root detection is typically warranted in DRM-protected streaming services, where security and content security are important, or in competitive video games to avoid unfaithful. However, there is no clear reasoning for such rigorous measures in an application of this nature, raising further questions about its intent.
  
  Users and companies thinking about installing DeepSeek ought to be mindful of these prospective risks. If this application is being utilized within an enterprise or government environment, additional vetting and security controls must be implemented before enabling its deployment on handled devices.
  
  Disclaimer: The analysis provided in this report is based upon fixed code review and does not suggest that all spotted functions are actively utilized. Further examination is required for conclusive conclusions.