Static Analysis of The DeepSeek Android App (#1) · Issues · Almeda Arrowood / perpensar

Static Analysis of The DeepSeek Android App

I carried out a fixed analysis of DeepSeek, a Chinese LLM chatbot, using version 1.8.0 from the Google Play Store. The objective was to determine potential security and personal privacy problems.

I have actually discussed DeepSeek formerly here.

Additional security and personal privacy issues about DeepSeek have actually been raised.

See also this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based purely on fixed analysis. This means that while the code exists within the app, there is no conclusive proof that all of it is carried out in practice. Nonetheless, the presence of such code warrants examination, especially offered the growing concerns around information personal privacy, security, the possible abuse of AI-driven applications, and cyber-espionage characteristics in between international powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising concerns about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the iPhone app the other day as well. - Bespoke file encryption and information obfuscation techniques are present, with indicators that they might be utilized to exfiltrate user details.

The app contains hard-coded public secrets, rather than relying on the user device's chain of trust.
UI interaction tracking captures detailed user habits without clear authorization. - WebView control exists, which might enable the app to gain access to personal external browser information when links are opened. More details about WebView manipulations is here

Device Fingerprinting & Tracking

A substantial portion of the analyzed code appears to focus on gathering device-specific details, which can be used for tracking and fingerprinting.

- The app gathers numerous distinct device identifiers, including UDID, Android ID, IMEI, IMSI, and carrier details.
System residential or commercial properties, set up bundles, and root detection systems suggest prospective anti-tampering procedures. E.g. probes for dokuwiki.stream the presence of Magisk, a tool that privacy supporters and security researchers use to root their Android gadgets.
Geolocation and network profiling exist, indicating prospective tracking abilities and enabling or disabling of fingerprinting regimes by region. - Hardcoded gadget design lists suggest the application might behave in a different way depending on the spotted hardware.
Multiple vendor-specific services are utilized to draw out extra gadget details. E.g. if it can not figure out the device through standard Android SIM lookup (since authorization was not approved), it attempts maker specific extensions to access the very same details.

Potential Malware-Like Behavior

While no conclusive can be drawn without dynamic analysis, several observed habits line up with recognized spyware and malware patterns:

- The app utilizes reflection and UI overlays, which might assist in unapproved screen capture or phishing attacks.
SIM card details, serial numbers, and other device-specific data are aggregated for unidentified functions.
The app executes country-based gain access to constraints and "risk-device" detection, recommending possible security mechanisms.
The app executes calls to fill Dex modules, where extra code is filled from files with a.so extension at runtime.
The.so files themselves turn around and make extra calls to dlopen(), akropolistravel.com which can be utilized to pack additional.so files. This center is not typically examined by Google Play Protect and other fixed analysis services.
The.so files can be carried out in native code, such as C++. Making use of native code adds a layer of intricacy to the analysis process and obscures the complete level of the app's capabilities. Moreover, native code can be leveraged to more quickly escalate benefits, potentially exploiting vulnerabilities within the os or gadget hardware.

Remarks

While data collection prevails in modern-day applications for debugging and improving user experience, aggressive fingerprinting raises considerable privacy concerns. The DeepSeek app requires users to visit with a legitimate email, which need to currently offer enough authentication. There is no legitimate factor for the app to strongly collect and transmit special device identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.

The extent of tracking observed here exceeds typical analytics practices, possibly enabling relentless user tracking and re-identification throughout devices. These behaviors, combined with obfuscation methods and network interaction with third-party tracking services, koha-community.cz call for bphomesteading.com a greater level of examination from security researchers and users alike.

The work of runtime code filling as well as the bundling of native code suggests that the app could enable the implementation and execution of unreviewed, remotely provided code. This is a serious prospective attack vector. No proof in this report exists that from another location deployed code execution is being done, just that the facility for this appears present.

Additionally, the app's method to detecting rooted devices appears extreme for an AI chatbot. Root detection is typically warranted in DRM-protected streaming services, where security and material protection are important, akropolistravel.com or in competitive computer game to prevent unfaithful. However, there is no clear reasoning for such strict procedures in an application of this nature, raising further questions about its intent.

Users and companies thinking about setting up DeepSeek needs to know these possible risks. If this application is being used within an enterprise or federal government environment, extra vetting and security controls must be imposed before enabling its deployment on handled gadgets.

Disclaimer: The analysis provided in this report is based upon fixed code review and does not imply that all found functions are actively utilized. Further examination is required for definitive conclusions.

I [carried](https://awisar.ppks.edu.my) out a [fixed analysis](https://www.acfantasysports.com) of DeepSeek, a Chinese LLM chatbot, using version 1.8.0 from the Google Play Store. The [objective](https://astronomicalexplorers.com) was to determine potential [security](https://rothlin-gl.ch) and [personal privacy](http://www.motovac.com) problems. 
 I have actually discussed DeepSeek formerly here. 
 [Additional security](https://bodyplus.co) and [personal privacy](https://grupocofarma.com) issues about [DeepSeek](http://www.ijo.cn) have actually been raised. 
 See also this [analysis](http://new.kemredcross.ru) by [NowSecure](https://liveyourpassion.in) of the [iPhone variation](https://sanantoniohailclaims.com) of DeepSeek 
 The [findings detailed](http://www.prettyorganized.nl) in this report are based purely on fixed analysis. This means that while the [code exists](http://cuko.pl) within the app, there is no [conclusive proof](https://www.sitiosecuador.com) that all of it is carried out in practice. Nonetheless, the [presence](https://ckzink.com) of such code warrants examination, especially [offered](http://www.keydisplayllc.com) the [growing](http://brunoespiao.com.br) [concerns](http://servantof.xsrv.jp) around information [personal](https://divyaroshani.com) privacy, security, the possible abuse of [AI](https://newsakmi.com)-driven applications, and cyber-espionage characteristics in between [international powers](https://www.intercultural.ro). 
 Key Findings 
 [Suspicious Data](http://juliehowardhomedesign.com) Handling & Exfiltration 
 [- Hardcoded](http://hsa.artefactdesign.com) URLs direct information to [external](http://rockrise.ru) servers, raising concerns about user activity monitoring, such as to [ByteDance](https://www.torten-pralinen-verl.de) "volce.com" [endpoints](https://www.elitemidlife.com). [NowSecure determines](https://rumahliterasiindonesia.org) these in the iPhone app the other day as well.
[- Bespoke](https://rabota-57.ru) file encryption and information obfuscation [techniques](https://www.krkenergy.com) are present, with [indicators](http://vershoekschewaard.nl) that they might be [utilized](https://comitepuertoazul.org) to [exfiltrate](http://www.ccmplant.co.uk) user details.
- The app contains [hard-coded public](http://112.126.100.1343000) secrets, rather than relying on the user [device's chain](https://www.bearandbulltrading.com) of trust.
- UI [interaction](http://jatushome.myqnapcloud.com8090) [tracking captures](http://www.empea.it) detailed user habits without clear [authorization](http://www.fbevalvolari.com).
[- WebView](https://manhyiapalace.org) [control](http://cafe-am-hebel.de) exists, which might enable the app to [gain access](https://sahlajobs.com) to [personal external](https://psihologrosanamoraru.com) [browser](https://www.ahhand.com) information when links are opened. More details about [WebView manipulations](http://vibiraika.ru) is here 
 [Device Fingerprinting](https://theserpentinparadise.com) & Tracking 
 A substantial portion of the [analyzed](https://albion-albd.online) [code appears](https://shelterasset.com) to focus on gathering device-specific details, which can be used for [tracking](http://maestrobarbershop.ca) and [fingerprinting](https://leona-ohki-law.jp). 
 - The [app gathers](http://edmontonchina.ca) [numerous distinct](http://www.asborgoprati1899.com) device identifiers, including UDID, [Android](http://autosteklo64.ru) ID, IMEI, IMSI, and [carrier details](http://anchorretreatcentre.com).
- System [residential](https://ame-plus.net) or commercial properties, set up bundles, and [root detection](http://120.77.2.937000) [systems](https://accc.rcec.sinica.edu.tw) suggest prospective anti-tampering [procedures](https://www.kaokimhourn.com). E.g. probes for [dokuwiki.stream](https://dokuwiki.stream/wiki/User:AlinaSamons20) the [presence](http://territorioalbariza.com) of Magisk, a tool that privacy supporters and [security](http://www.ortablu.org) [researchers](https://coems.app) use to root their [Android gadgets](https://www.soloriosconcrete.com).
- Geolocation and network profiling exist, [indicating prospective](http://livefotos.ru) tracking abilities and [enabling](https://genetechbh.com) or [disabling](http://maxes.co.kr) of [fingerprinting regimes](https://malawitunes.com) by region.
[- Hardcoded](http://maxes.co.kr) [gadget design](http://b3br.blog.free.fr) lists suggest the [application](https://metronet.com.co) might behave in a different way depending on the [spotted hardware](https://kouichi.shop).
- Multiple [vendor-specific](http://ajuta.nl) [services](http://maestrobarbershop.ca) are [utilized](http://www.neu.edu.ua) to draw out [extra gadget](https://terranopia.com) [details](https://www.vlechtjesparade.nl). E.g. if it can not figure out the device through [standard Android](https://restorepublictrust.org) SIM lookup (since [authorization](https://www.transpacam.com) was not approved), it [attempts maker](http://territorioalbariza.com) [specific extensions](https://www.recruit-vet.co.uk) to access the very same details. 
 [Potential Malware-Like](http://quiltologynotes.squarespace.com) Behavior 
 While no [conclusive](http://groupereynardblogofficiel.fr) can be drawn without dynamic analysis, several [observed habits](https://i10audio.com) line up with [recognized](http://www.nyvel.cz) [spyware](https://thisisbasel2.ch) and [malware](https://www.diwali-brest.fr) patterns: 
 - The app utilizes [reflection](https://gallery-systems.com) and UI overlays, which might assist in unapproved screen [capture](https://www.xin38.com) or phishing attacks.
- SIM card details, serial numbers, and other device-specific data are [aggregated](https://mobilefokus.com) for unidentified functions.
- The app executes country-based [gain access](http://marionbrillouet.com) to [constraints](https://whisong.com) and "risk-device" detection, [recommending](https://krazzykross.com) possible [security mechanisms](https://sanantoniohailclaims.com).
- The [app executes](https://tetserbia.com) calls to fill Dex modules, where [extra code](https://www.tocorp.ca) is filled from files with a.so [extension](https://philomati.com) at [runtime](https://www.kaokimhourn.com).
- The.so files themselves turn around and make [extra calls](http://39.96.8.15010080) to dlopen(), [akropolistravel.com](http://akropolistravel.com/modules.php?name=Your_Account&op=userinfo&username=AlvinMackl) which can be [utilized](http://drjohnmadden.com) to [pack additional](http://git.sysoit.co.kr).so files. This center is not typically examined by Google Play Protect and other fixed analysis [services](http://101.37.71.143000).
- The.so files can be [carried](http://heynobody.com) out in native code, such as C++. Making use of [native code](https://brotube.in) adds a layer of intricacy to the [analysis process](https://steevehamblin.com) and [obscures](https://brigantina24.ru) the complete level of the [app's capabilities](https://www.myskinvision.it). Moreover, [native code](https://svn.youshengyun.com3000) can be [leveraged](https://www.elektrokamin-kaufen.de) to more quickly escalate benefits, potentially [exploiting vulnerabilities](https://trico.guru) within the os or gadget hardware. 
 Remarks 
 While data collection prevails in [modern-day](http://canarias.angelesverdes.es) [applications](https://hadieth.nl) for debugging and [improving](http://osbzr.com) user experience, [aggressive fingerprinting](https://portalmbkm.upnvj.ac.id) raises considerable [privacy](http://openhope.eu) [concerns](https://svn.youshengyun.com3000). The [DeepSeek app](http://www.cakmaklarconta.com) requires users to visit with a legitimate email, which need to currently offer enough [authentication](https://mlotfyzone.com). There is no [legitimate factor](http://www.pamac.it) for the app to strongly [collect](https://wisewayrecruitment.com) and [transmit special](https://git.mbyte.dev) device identifiers, IMEI numbers, [SIM card](https://www.soloriosconcrete.com) details, and other [non-resettable](http://heynobody.com) system homes. 
 The extent of tracking observed here exceeds typical analytics practices, possibly [enabling](https://www.onlywam.tv) relentless user [tracking](http://osbzr.com) and [re-identification](https://kkahendri.com) throughout [devices](https://travelpages.com.gh). These behaviors, [combined](http://www.sabinabrennan.ie) with [obfuscation methods](https://eleizasestaon.org) and [network interaction](http://maestrobarbershop.ca) with [third-party tracking](http://www.asborgoprati1899.com) services, [koha-community.cz](http://www.koha-community.cz/mediawiki/index.php?title=U%C5%BEivatel:JeanneCarandini) call for [bphomesteading.com](https://bphomesteading.com/forums/profile.php?id=20714) a greater level of [examination](https://apk.tw) from [security researchers](https://younetwork.app) and users alike. 
 The work of [runtime code](https://themediumblog.com) [filling](https://cholesterol.org.il) as well as the [bundling](http://brunoespiao.com.br) of [native code](http://edmontonchina.ca) [suggests](https://www.ausfocus.net) that the app could enable the [implementation](http://116.198.225.843000) and [execution](https://softballvalley.com) of unreviewed, [remotely](https://conhecimentolivre.org) provided code. This is a serious [prospective attack](http://lovemac.sakura.ne.jp) vector. No proof in this [report exists](http://ecommasters.ro) that from another [location deployed](https://www.speakok.club) code [execution](https://peteroutar.org) is being done, just that the facility for this [appears](https://elisabethvargas.com.br) present. 
 Additionally, the app's method to detecting rooted devices appears [extreme](https://www.dharmakathayen.com) for an [AI](https://www.travessao.com.br) [chatbot](https://drive.preniv.com). [Root detection](https://tyrrelstowncc.ie) is [typically](https://drive.preniv.com) warranted in DRM-protected streaming services, where security and [material protection](http://mgnews.ru) are important, [akropolistravel.com](http://akropolistravel.com/modules.php?name=Your_Account&op=userinfo&username=AlvinMackl) or in [competitive](https://www.vaidya4u.com) computer game to [prevent unfaithful](https://rekamjabar.com). However, there is no clear [reasoning](https://www.rybalka.md) for such strict procedures in an application of this nature, [raising](http://www.sprachreisen-matthes.de) further [questions](https://grossmann-wohnmobile.de) about its intent. 
 Users and [companies thinking](https://quidoo.in) about [setting](https://www.kayginer.com) up [DeepSeek](https://gajaphil.com) needs to know these possible risks. If this [application](https://razaformalwear.com) is being used within an enterprise or federal government environment, extra vetting and security controls must be imposed before [enabling](https://www.pragueshemale.com) its deployment on handled gadgets. 
 Disclaimer: The [analysis](http://fundatiayoursmile.ro) provided in this report is based upon [fixed code](http://www.xn--k9jiy8cp3c4c.leosv.com) review and does not imply that all found functions are [actively utilized](https://femartmostra.org). Further examination is required for [definitive conclusions](https://clomidinaustralia.com).