I carried out a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The goal was to determine possible security and privacy concerns.

I've blogged about DeepSeek previously here.

Additional security and personal privacy issues about DeepSeek have been raised.

See likewise this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on static analysis. This indicates that while the code exists within the app, there is no conclusive proof that all of it is executed in practice. Nonetheless, the existence of such code warrants scrutiny, especially offered the growing concerns around information privacy, monitoring, the possible abuse of AI-driven applications, and cyber-espionage characteristics between worldwide powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct data to external servers, raising issues about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure recognizes these in the iPhone app the other day too. - Bespoke file encryption and data obfuscation methods are present, with that they could be used to exfiltrate user details.

• The app contains hard-coded public secrets, instead of counting on the user device's chain of trust.
• UI interaction tracking records detailed user behavior without clear authorization.
• WebView manipulation exists, which could permit the app to gain access to personal external internet browser data when links are opened. More details about WebView manipulations is here
  
  Device Fingerprinting & Tracking
  
  A considerable portion of the analyzed code appears to concentrate on event device-specific details, which can be used for tracking and fingerprinting.
  
  - The app gathers different distinct gadget identifiers, consisting of UDID, Android ID, IMEI, IMSI, and carrier details.
• System residential or commercial properties, installed bundles, suvenir51.ru and root detection systems suggest possible anti-tampering measures. E.g. probes for the presence of Magisk, a tool that personal privacy advocates and security scientists use to root their Android gadgets. - Geolocation and network profiling exist, suggesting possible tracking capabilities and making it possible for or disabling of fingerprinting routines by region. - Hardcoded device model lists suggest the application might behave differently depending upon the found hardware.
• Multiple vendor-specific services are utilized to extract extra device details. E.g. if it can not identify the device through standard Android SIM lookup (since authorization was not granted), it attempts producer particular extensions to access the very same details.
  
  Potential Malware-Like Behavior
  
  While no conclusive conclusions can be drawn without vibrant analysis, numerous observed behaviors align with known spyware and malware patterns:
  
  - The app utilizes reflection and UI overlays, which could help with unapproved screen capture or phishing attacks.
• SIM card details, identification numbers, and other device-specific information are aggregated for unidentified functions.
• The app carries out country-based gain access to constraints and "risk-device" detection, suggesting possible surveillance systems.
• The app implements calls to fill Dex modules, where extra code is loaded from files with a.so extension at runtime.
• The.so submits themselves reverse and make extra calls to dlopen(), which can be utilized to load additional.so files. This facility is not generally examined by Google Play Protect and other fixed analysis services.
• The.so files can be executed in native code, such as C++. Making use of native code includes a layer of intricacy to the analysis procedure and obscures the complete degree of the app's abilities. Moreover, native code can be leveraged to more quickly intensify advantages, potentially exploiting vulnerabilities within the operating system or device hardware.
  
  Remarks
  
  While data collection prevails in modern-day applications for debugging and enhancing user experience, aggressive fingerprinting raises considerable privacy issues. The DeepSeek app needs users to log in with a legitimate email, which need to already supply adequate authentication. There is no legitimate reason for the app to strongly gather and transfer special device identifiers, IMEI numbers, SIM card details, and other non-resettable system properties.
  
  The degree of tracking observed here goes beyond typical analytics practices, potentially enabling consistent user tracking and re-identification throughout devices. These behaviors, combined with obfuscation techniques and network communication with third-party tracking services, necessitate a greater level of examination from security researchers and users alike.
  
  The work of runtime code loading in addition to the bundling of native code recommends that the app could enable the implementation and execution of unreviewed, remotely provided code. This is a severe possible attack vector. No evidence in this report exists that remotely released code execution is being done, just that the facility for this appears present.
  
  Additionally, the app's technique to detecting rooted gadgets appears extreme for an AI chatbot. Root detection is often warranted in DRM-protected streaming services, where security and material defense are vital, allmy.bio or in competitive computer game to prevent unfaithful. However, there is no clear reasoning for such rigorous steps in an application of this nature, raising more concerns about its intent.
  
  Users and companies thinking about setting up DeepSeek must understand these prospective threats. If this application is being utilized within an enterprise or federal government environment, extra vetting and security controls must be implemented before enabling its deployment on managed gadgets.
  
  Disclaimer: classihub.in The analysis provided in this report is based on static code review and does not imply that all found functions are actively utilized. Further investigation is needed for conclusive conclusions.