I conducted a static analysis of DeepSeek, a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The goal was to identify possible security and privacy problems.

I've composed about DeepSeek formerly here.

Additional security and personal privacy concerns about DeepSeek have been raised.

See likewise this analysis by NowSecure of the iPhone version of DeepSeek

The findings detailed in this report are based simply on fixed analysis. This indicates that while the code exists within the app, there is no definitive proof that all of it is performed in practice. Nonetheless, the presence of such code warrants examination, specifically provided the growing concerns around information personal privacy, security, the potential abuse of AI-driven applications, and cyber-espionage dynamics in between worldwide powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising concerns about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the iPhone app the other day also.

• Bespoke encryption and information obfuscation methods exist, setiathome.berkeley.edu with indications that they might be utilized to exfiltrate user details.
• The app contains hard-coded public keys, instead of relying on the user gadget's chain of trust.
• UI interaction tracking catches detailed user habits without clear authorization.
• WebView adjustment is present, which might permit the app to gain access to private external web browser information when links are opened. More details about WebView adjustments is here
  
  Device Fingerprinting & Tracking
  
  A significant part of the examined code appears to concentrate on gathering device-specific details, which can be utilized for tracking and fingerprinting.
  
  - The app gathers different distinct device identifiers, including UDID, Android ID, IMEI, IMSI, and provider details.
• System properties, set up bundles, and parentingliteracy.com root detection mechanisms recommend prospective anti-tampering procedures. E.g. probes for the existence of Magisk, a tool that privacy supporters and security researchers utilize to root their Android gadgets.
• Geolocation and network profiling exist, suggesting possible tracking abilities and enabling or opensourcebridge.science disabling of fingerprinting programs by region.
• Hardcoded gadget model lists recommend the application may behave in a different way depending upon the discovered hardware.
• Multiple vendor-specific services are utilized to draw out additional gadget details. E.g. if it can not determine the gadget through basic Android SIM lookup (because consent was not given), it tries manufacturer specific to access the exact same details.
  
  Potential Malware-Like Behavior
  
  While no definitive conclusions can be drawn without vibrant analysis, a number of observed behaviors line up with known spyware and malware patterns:
  
  - The app uses reflection and 35.237.164.2 UI overlays, which could help with unauthorized screen capture or phishing attacks.
• SIM card details, identification numbers, and forum.batman.gainedge.org other device-specific information are aggregated for unidentified functions.
• The app carries out country-based gain access to constraints and "risk-device" detection, suggesting possible surveillance mechanisms.
• The app carries out calls to fill Dex modules, where extra code is filled from files with a.so extension at runtime.
• The.so files themselves reverse and make extra calls to dlopen(), which can be utilized to fill additional.so files. This center is not normally inspected by Google Play Protect and other fixed analysis services.
• The.so files can be carried out in native code, such as C++. Making use of native code adds a layer of intricacy to the analysis procedure and obscures the full level of the app's abilities. Moreover, native code can be leveraged to more quickly intensify benefits, potentially making use of vulnerabilities within the operating system or gadget hardware.
  
  Remarks
  
  While information collection prevails in modern applications for debugging and improving user experience, aggressive fingerprinting raises significant privacy concerns. The DeepSeek app requires users to visit with a legitimate email, which must already provide sufficient authentication. There is no legitimate reason for the app to strongly gather and transmit unique gadget identifiers, IMEI numbers, SIM card details, and other non-resettable system properties.
  
  The level of tracking observed here exceeds typical analytics practices, potentially making it possible for classifieds.ocala-news.com persistent user tracking and re-identification throughout gadgets. These behaviors, combined with obfuscation techniques and network communication with third-party tracking services, call for a higher level of scrutiny from security scientists and users alike.
  
  The employment of runtime code packing along with the bundling of native code recommends that the app might enable the deployment and execution of unreviewed, remotely provided code. This is a serious possible attack vector. No proof in this report exists that from another location deployed code execution is being done, only that the facility for this appears present.
  
  Additionally, the app's approach to identifying rooted gadgets appears excessive for an AI chatbot. Root detection is typically warranted in DRM-protected streaming services, where security and content security are vital, or in competitive video games to prevent unfaithful. However, there is no clear reasoning for such stringent measures in an application of this nature, raising more concerns about its intent.
  
  Users and organizations thinking about setting up DeepSeek needs to know these potential dangers. If this application is being utilized within a business or government environment, extra vetting and security controls must be implemented before permitting its deployment on managed devices.
  
  Disclaimer: The analysis provided in this report is based on fixed code evaluation and does not indicate that all found functions are actively utilized. Further examination is required for conclusive conclusions.