I performed a static analysis of DeepSeek, a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The objective was to recognize prospective security and personal privacy concerns.

I've blogged about DeepSeek formerly here.

Additional security and personal privacy issues about DeepSeek have been raised.

See also this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on static analysis. This implies that while the code exists within the app, there is no definitive evidence that all of it is carried out in practice. Nonetheless, forum.batman.gainedge.org the existence of such code warrants analysis, particularly offered the growing concerns around data personal privacy, surveillance, the potential misuse of AI-driven applications, and demo.qkseo.in cyber-espionage characteristics in between international powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct data to external servers, raising concerns about user activity tracking, townshipmarket.co.za such as to ByteDance "volce.com" endpoints. NowSecure identifies these in the iPhone app the other day as well.

• Bespoke encryption and information obfuscation methods exist, with indicators that they might be utilized to exfiltrate user details.
• The app contains hard-coded public keys, instead of counting on the user device's chain of trust.
• UI interaction tracking records detailed user behavior without clear consent. - WebView manipulation is present, which could permit the app to gain access to personal external browser information when links are opened. More details about WebView controls is here
  
  Device Fingerprinting & Tracking
  
  A significant portion of the analyzed code appears to concentrate on gathering device-specific details, which can be used for tracking and fingerprinting.
  
  - The app collects different distinct device identifiers, including UDID, Android ID, IMEI, IMSI, and provider details.
• System properties, installed bundles, and gratisafhalen.be root detection mechanisms recommend prospective anti-tampering steps. E.g. probes for the existence of Magisk, a tool that personal privacy supporters and security scientists utilize to root their Android devices.
• Geolocation and network profiling exist, indicating prospective tracking abilities and allowing or disabling of fingerprinting programs by region.
• Hardcoded gadget model lists suggest the application might behave differently depending upon the spotted hardware.
• Multiple vendor-specific services are used to draw out additional device details. E.g. if it can not figure out the gadget through basic Android SIM lookup (since consent was not granted), it tries manufacturer particular extensions to access the very same details.
  
  Potential Malware-Like Behavior
  
  While no conclusive conclusions can be drawn without vibrant analysis, a number of observed behaviors line up with known spyware and trademarketclassifieds.com malware patterns:
  
  - The app uses reflection and UI overlays, which might assist in unauthorized screen capture or phishing attacks.
• SIM card details, serial numbers, and other device-specific data are aggregated for unknown purposes.
• The app implements country-based gain access to constraints and "risk-device" detection, recommending possible security mechanisms.
• The app executes calls to pack Dex modules, where additional code is loaded from files with a.so extension at runtime.
• The.so files themselves turn around and make extra calls to dlopen(), which can be used to fill additional.so files. This center is not normally examined by Google Play Protect and other fixed analysis services.
• The.so files can be carried out in native code, such as C++. The use of native code includes a layer of intricacy to the analysis procedure and obscures the full extent of the app's capabilities. Moreover, forum.altaycoins.com native code can be leveraged to more easily intensify privileges, potentially exploiting vulnerabilities within the os or gadget hardware.
  
  Remarks
  
  While information collection prevails in contemporary applications for debugging and enhancing user experience, aggressive fingerprinting raises significant privacy issues. The DeepSeek app requires users to visit with a legitimate email, which should already offer adequate authentication. There is no valid factor for the app to strongly gather and send distinct gadget identifiers, IMEI numbers, SIM card details, dokuwiki.stream and other non-resettable system homes.
  
  The degree of tracking observed here exceeds typical analytics practices, potentially making it possible for consistent user tracking and re-identification across gadgets. These behaviors, combined with obfuscation strategies and network communication with third-party tracking services, require a greater level of analysis from security scientists and users alike.
  
  The work of runtime code filling in addition to the bundling of native code recommends that the app could enable the deployment and execution of unreviewed, from another location delivered code. This is a major possible attack vector. No evidence in this report exists that remotely released code execution is being done, just that the center for this appears present.
  
  Additionally, the app's method to spotting rooted gadgets appears excessive for an AI chatbot. is often warranted in DRM-protected streaming services, where security and material security are important, or in competitive computer game to avoid unfaithful. However, there is no clear rationale for such stringent procedures in an application of this nature, raising more concerns about its intent.
  
  Users and organizations considering setting up DeepSeek should know these prospective threats. If this application is being utilized within an enterprise or government environment, additional vetting and security controls ought to be implemented before enabling its implementation on managed gadgets.
  
  Disclaimer: The analysis provided in this report is based on fixed code evaluation and does not suggest that all detected functions are actively utilized. Further examination is needed for conclusive conclusions.