I conducted a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The objective was to determine possible security and personal privacy concerns.

I've blogged about DeepSeek formerly here.

Additional security and personal privacy issues about DeepSeek have actually been raised.

See also this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based purely on fixed analysis. This suggests that while the code exists within the app, there is no definitive proof that all of it is executed in practice. Nonetheless, the existence of such code warrants analysis, especially given the growing issues around information personal privacy, security, the potential misuse of AI-driven applications, and cyber-espionage dynamics between international powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising issues about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure identifies these in the iPhone app the other day too.

• Bespoke encryption and information obfuscation methods exist, with indicators that they might be used to exfiltrate user details.
• The app contains hard-coded public secrets, instead of depending on the user device's chain of trust.
• UI interaction tracking captures detailed user behavior without clear consent.
• WebView control exists, which might enable the app to gain access to private external internet browser information when links are opened. More details about WebView manipulations is here
  
  Device Fingerprinting & Tracking
  
  A substantial part of the analyzed code appears to concentrate on gathering device-specific details, lovewiki.faith which can be utilized for tracking and fingerprinting.
  
  - The app collects various unique device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and carrier details.
• System properties, installed plans, and root detection mechanisms recommend potential anti-tampering steps. E.g. probes for the existence of Magisk, a tool that privacy advocates and security scientists utilize to root their Android devices.
• Geolocation and network profiling exist, suggesting potential tracking capabilities and allowing or disabling of fingerprinting programs by area.
• Hardcoded device model lists suggest the application may behave differently depending upon the discovered hardware.
• Multiple vendor-specific services are used to extract additional device details. E.g. if it can not determine the device through basic Android SIM lookup (because consent was not granted), experienciacortazar.com.ar it attempts producer particular extensions to access the same details.
  
  Potential Malware-Like Behavior
  
  While no conclusive conclusions can be drawn without dynamic analysis, a number of observed habits align with recognized spyware and malware patterns:
  
  - The app utilizes reflection and utahsyardsale.com UI overlays, which might facilitate unauthorized screen capture or phishing attacks.
• SIM card details, identification numbers, and other device-specific information are aggregated for unidentified functions.
• The app executes country-based gain access to constraints and "risk-device" detection, suggesting possible surveillance systems.
• The app implements calls to pack Dex modules, where extra code is packed from files with a.so extension at runtime.
• The.so files themselves turn around and make additional calls to dlopen(), which can be used to load additional.so files. This center is not usually inspected by Google Play Protect and other fixed analysis services.
• The.so files can be executed in native code, such as C++. The use of native code adds a layer of intricacy to the analysis procedure and obscures the complete extent of the app's abilities. Moreover, native code can be leveraged to more easily escalate opportunities, possibly making use of vulnerabilities within the os or gadget hardware.
  
  Remarks
  
  While information collection prevails in modern applications for cadizpedia.wikanda.es debugging and enhancing user experience, aggressive fingerprinting raises significant privacy concerns. The DeepSeek app needs users to visit with a legitimate email, vmeste-so-vsemi.ru which should already supply adequate authentication. There is no valid factor for the app to strongly collect and transmit distinct gadget identifiers, IMEI numbers, SIM card details, and other non-resettable system properties.
  
  The level of tracking observed here surpasses typical analytics practices, potentially making it possible for relentless user tracking and re-identification across gadgets. These behaviors, combined with obfuscation methods and network interaction with third-party tracking services, require a higher level of analysis from security researchers and users alike.
  
  The work of runtime code filling as well as the bundling of native code recommends that the app might allow the deployment and execution of unreviewed, from another location provided code. This is a major possible attack vector. No proof in this report is presented that remotely released code execution is being done, just that the facility for this appears present.
  
  Additionally, the app's method to rooted devices appears excessive for an AI chatbot. Root detection is typically justified in DRM-protected streaming services, where security and disgaeawiki.info content protection are important, or in competitive computer game to prevent unfaithful. However, there is no clear rationale for such stringent steps in an application of this nature, raising additional concerns about its intent.
  
  Users and surgiteams.com organizations considering installing DeepSeek ought to understand these prospective dangers. If this application is being utilized within a business or government environment, additional vetting and security controls need to be enforced before enabling its release on handled devices.
  
  Disclaimer: The analysis presented in this report is based upon static code evaluation and does not indicate that all found functions are actively utilized. Further examination is required for conclusive conclusions.