spelplakkers

ahmadfairbridg/spelplakkers

I conducted a static analysis of DeepSeek, a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The objective was to identify possible security and privacy problems.

I have actually discussed DeepSeek previously here.

Additional security and imoodle.win personal privacy concerns about DeepSeek have been raised.

See also this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on static analysis. This indicates that while the code exists within the app, there is no definitive evidence that all of it is carried out in practice. Nonetheless, the presence of such code warrants scrutiny, specifically provided the growing concerns around information personal privacy, surveillance, the potential abuse of AI-driven applications, and king-wifi.win cyber-espionage dynamics between international powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct data to external servers, raising concerns about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure recognizes these in the iPhone app yesterday too.

Bespoke encryption and data obfuscation approaches exist, with indications that they could be used to exfiltrate user details.
The app contains hard-coded public keys, rather than depending on the user device's chain of trust.
UI interaction tracking records detailed user habits without clear permission. - WebView adjustment is present, which might permit the app to gain access to personal external web browser information when links are opened. More details about WebView manipulations is here

Device Fingerprinting & Tracking

A considerable portion of the examined code appears to concentrate on event device-specific details, which can be utilized for tracking and fingerprinting.

- The app collects various distinct device identifiers, consisting of UDID, Android ID, IMEI, IMSI, akropolistravel.com and provider details.
System properties, set up bundles, and root detection systems suggest prospective anti-tampering steps. E.g. probes for the existence of Magisk, a tool that privacy advocates and security scientists utilize to root their Android devices.
Geolocation and network profiling are present, suggesting potential tracking abilities and enabling or disabling of fingerprinting regimes by area.
Hardcoded gadget model lists suggest the application may behave differently depending on the found hardware.
Multiple vendor-specific services are used to draw out additional gadget details. E.g. if it can not identify the gadget through standard Android SIM lookup (because authorization was not given), it tries producer specific extensions to access the same details.

Potential Malware-Like Behavior

While no conclusive conclusions can be drawn without vibrant analysis, a number of observed behaviors line up with known spyware and malware patterns:

- The app utilizes reflection and UI overlays, which might facilitate unauthorized screen capture or phishing attacks.
SIM card details, serial numbers, and other device-specific data are aggregated for unknown purposes.
The app carries out country-based gain access to constraints and "risk-device" detection, suggesting possible monitoring mechanisms.
The app executes calls to fill Dex modules, fraternityofshadows.com where extra code is loaded from files with a.so extension at runtime.
The.so submits themselves reverse and make additional calls to dlopen(), which can be used to fill additional.so files. This facility is not typically examined by Google Play Protect and other static analysis services.
The.so files can be implemented in native code, such as C++. The use of native code includes a layer of intricacy to the analysis procedure and obscures the full level of the app's abilities. Moreover, native code can be leveraged to more easily escalate advantages, potentially exploiting vulnerabilities within the operating system or device hardware.

Remarks

While data collection prevails in contemporary applications for debugging and enhancing user experience, aggressive fingerprinting raises considerable personal privacy issues. The DeepSeek app requires users to visit with a legitimate email, which need to currently provide sufficient authentication. There is no legitimate reason for the app to and send unique device identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.

The level of tracking observed here exceeds normal analytics practices, possibly enabling relentless user tracking and re-identification across gadgets. These behaviors, integrated with obfuscation strategies and network interaction with third-party tracking services, call for wavedream.wiki a higher level of analysis from security researchers and users alike.

The employment of runtime code packing as well as the bundling of native code recommends that the app might enable the deployment and execution of unreviewed, remotely delivered code. This is a severe possible attack vector. No proof in this report exists that from another location released code execution is being done, just that the facility for this appears present.

Additionally, the app's approach to finding rooted gadgets appears extreme for an AI chatbot. Root detection is frequently justified in DRM-protected streaming services, where security and content defense are crucial, or in competitive computer game to prevent unfaithful. However, there is no clear reasoning for such strict steps in an application of this nature, raising more questions about its intent.

Users and organizations thinking about installing DeepSeek must be mindful of these possible dangers. If this application is being used within a business or government environment, extra vetting and security controls need to be implemented before allowing its release on managed devices.

Disclaimer: The analysis provided in this report is based on static code evaluation and does not imply that all discovered functions are actively used. Further examination is needed for definitive conclusions.