I performed a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The goal was to recognize potential security and privacy issues.
I have actually discussed DeepSeek formerly here.
Additional security and personal privacy concerns about DeepSeek have actually been raised.
See also this analysis by NowSecure of the iPhone version of DeepSeek
The findings detailed in this report are based purely on static analysis. This means that while the code exists within the app, there is no definitive evidence that all of it is carried out in practice. Nonetheless, the existence of such code warrants scrutiny, specifically provided the growing concerns around information personal privacy, surveillance, the prospective abuse of AI-driven applications, and cyber-espionage characteristics between global powers.
Key Findings
Suspicious Data Handling & Exfiltration
- Hardcoded URLs direct data to external servers, raising issues about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the iPhone app the other day also.
- Bespoke file encryption and data obfuscation approaches are present, with signs that they might be used to exfiltrate user details.
- The app contains hard-coded public secrets, instead of depending on the user device's chain of trust.
- UI interaction tracking records detailed user behavior without clear consent.
- WebView manipulation is present, which might permit for the app to gain access to personal external browser data when links are opened. More details about WebView manipulations is here
Device Fingerprinting & Tracking
A significant portion of the examined code appears to focus on event device-specific details, botdb.win which can be utilized for tracking and fingerprinting.
- The app collects various unique gadget identifiers, including UDID, Android ID, IMEI, IMSI, and provider details.
- System residential or commercial properties, set up plans, and root detection systems recommend possible anti-tampering steps. E.g. probes for the existence of Magisk, a tool that privacy supporters and security researchers use to root their Android devices.
- Geolocation and network profiling exist, suggesting potential tracking capabilities and making it possible for or disabling of fingerprinting routines by region.
- Hardcoded device design lists suggest the application might behave in a different way depending upon the spotted hardware.
- Multiple vendor-specific services are utilized to extract additional device details. E.g. if it can not figure out the device through standard Android SIM lookup (due to the fact that permission was not given), it tries maker particular extensions to access the exact same details.
Potential Malware-Like Behavior
While no definitive conclusions can be drawn without vibrant analysis, several observed behaviors line up with known spyware and malware patterns:
- The app uses reflection and wiki.snooze-hotelsoftware.de UI overlays, which might help with unapproved screen capture or phishing attacks.
- SIM card details, identification numbers, and other device-specific data are aggregated for unknown purposes.
- The app carries out country-based gain access to constraints and "risk-device" detection, suggesting possible security systems.
- The app carries out calls to pack Dex modules, where extra code is loaded from files with a.so extension at runtime.
- The.so files themselves turn around and make extra calls to dlopen(), which can be utilized to load additional.so files. This center is not generally inspected by Google Play Protect and other static analysis services.
- The.so files can be implemented in native code, such as C++. Making use of native code includes a layer of intricacy to the analysis procedure and obscures the complete extent of the app's abilities. Moreover, native code can be leveraged to more easily intensify benefits, possibly exploiting vulnerabilities within the operating system or device hardware.
Remarks
While data collection prevails in contemporary applications for debugging and enhancing user experience, aggressive fingerprinting raises substantial privacy issues. The DeepSeek app requires users to visit with a valid email, which must currently provide sufficient authentication. There is no legitimate factor for the app to strongly gather and send unique gadget identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.
The degree of tracking observed here goes beyond typical analytics practices, potentially making it possible for consistent user tracking and re-identification across devices. These behaviors, integrated with obfuscation techniques and network communication with third-party tracking services, call for a higher level of examination from security scientists and users alike.
The work of runtime code loading along with the bundling of native code recommends that the app might enable the deployment and execution of unreviewed, from another location provided code. This is a severe possible attack vector. No proof in this report is presented that from another location deployed code execution is being done, only that the facility for this appears present.
Additionally, the app's method to spotting rooted devices appears excessive for an AI chatbot. Root detection is often warranted in DRM-protected streaming services, where security and material security are important, or in competitive computer game to avoid unfaithful. However, there is no clear rationale for such strict measures in an application of this nature, raising further questions about its intent.
Users and organizations thinking about setting up DeepSeek must know these prospective risks. If this application is being used within a business or government environment, extra vetting and security controls need to be implemented before enabling its release on managed devices.
Disclaimer: The analysis provided in this report is based upon static code evaluation and does not indicate that all discovered functions are actively utilized. Further investigation is required for definitive conclusions.
