I performed a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The objective was to identify potential security and personal privacy problems.

I have actually composed about DeepSeek previously here.

Additional security and privacy issues about DeepSeek have actually been raised.

See also this analysis by NowSecure of the iPhone version of DeepSeek

The findings detailed in this report are based purely on fixed analysis. This implies that while the code exists within the app, there is no conclusive evidence that all of it is carried out in practice. Nonetheless, the presence of such code warrants scrutiny, especially provided the growing issues around information personal privacy, monitoring, the prospective abuse of AI-driven applications, and cyber-espionage dynamics between international powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct data to external servers, raising concerns about user activity monitoring, such as to ByteDance “volce.com” endpoints. NowSecure recognizes these in the iPhone app yesterday also. - Bespoke file encryption and information obfuscation methods exist, with indicators that they might be used to exfiltrate user details.

• The app contains hard-coded public secrets, rather than counting on the user device’s chain of trust.
• UI interaction tracking records detailed user habits without clear authorization. - WebView adjustment is present, which could enable the app to gain access to personal external internet browser information when links are opened. More details about WebView manipulations is here
  
  Device Fingerprinting & Tracking
  
  A substantial portion of the examined code appears to concentrate on event device-specific details, wiki.whenparked.com which can be utilized for tracking and fingerprinting.
  
  - The app collects various unique gadget identifiers, consisting of UDID, Android ID, IMEI, IMSI, and carrier details.
• System residential or commercial properties, installed plans, and root detection systems recommend prospective anti-tampering steps. E.g. probes for classifieds.ocala-news.com the existence of Magisk, a tool that privacy advocates and security researchers utilize to root their Android devices.
• Geolocation and network profiling are present, showing potential tracking capabilities and allowing or disabling of fingerprinting regimes by area.
• Hardcoded gadget design lists recommend the application might behave differently depending on the found hardware. - Multiple vendor-specific services are utilized to extract extra device details. E.g. if it can not figure out the device through basic Android SIM lookup (due to the fact that consent was not granted), it tries maker specific extensions to access the very same details.
  
  Potential Malware-Like Behavior
  
  While no conclusive conclusions can be drawn without dynamic analysis, a number of observed habits align with known spyware and malware patterns:
  
  - The app utilizes reflection and UI overlays, which might help with unauthorized screen capture or .
• SIM card details, serial numbers, and other device-specific data are aggregated for unknown functions.
• The app executes country-based gain access to constraints and “risk-device” detection, suggesting possible surveillance mechanisms.
• The app carries out calls to load Dex modules, where additional code is filled from files with a.so extension at runtime.
• The.so files themselves turn around and make additional calls to dlopen(), which can be used to fill additional.so files. This facility is not normally checked by Google Play Protect and other static analysis services.
• The.so files can be executed in native code, such as C++. Using native code includes a layer of complexity to the analysis process and obscures the full degree of the app’s capabilities. Moreover, native code can be leveraged to more quickly escalate benefits, potentially making use of vulnerabilities within the os or gadget hardware.
  
  Remarks
  
  While data collection prevails in modern-day applications for debugging and improving user experience, aggressive fingerprinting raises significant personal privacy concerns. The DeepSeek app requires users to log in with a valid email, which need to already provide enough authentication. There is no legitimate factor for the app to aggressively gather and send distinct device identifiers, IMEI numbers, SIM card details, and utahsyardsale.com other non-resettable system residential or commercial properties.
  
  The extent of tracking observed here surpasses common analytics practices, possibly enabling consistent user tracking and re-identification across gadgets. These behaviors, integrated with obfuscation techniques and network interaction with third-party tracking services, call for a higher level of analysis from security scientists and users alike.
  
  The work of runtime code filling in addition to the bundling of native code suggests that the app might permit the deployment and execution of unreviewed, from another location provided code. This is a major possible attack vector. No proof in this report exists that from another location deployed code execution is being done, only that the center for this appears present.
  
  Additionally, the app’s method to spotting rooted gadgets appears extreme for an AI chatbot. Root detection is frequently warranted in DRM-protected streaming services, where security and [forum.batman.gainedge.org](https://forum.batman.gainedge.org/index.php?action=profile