GitLab

I performed a fixed analysis of DeepSeek, wavedream.wiki a Chinese LLM chatbot, utilizing variation 1.8.0 from the Google Play Store. The objective was to identify prospective security and personal privacy problems.

I've discussed DeepSeek previously here.

Additional security and privacy issues about DeepSeek have been raised.

See likewise this by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based purely on fixed analysis. This indicates that while the code exists within the app, there is no definitive proof that all of it is performed in practice. Nonetheless, the existence of such code warrants examination, especially offered the growing issues around information privacy, security, the prospective misuse of AI-driven applications, and cyber-espionage dynamics between worldwide powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising issues about user activity tracking, akropolistravel.com such as to ByteDance "volce.com" endpoints. NowSecure recognizes these in the iPhone app the other day as well. - Bespoke file encryption and bybio.co data obfuscation approaches are present, wiki.vifm.info with indicators that they might be used to exfiltrate user details.

• The app contains hard-coded public keys, rather than depending on the user gadget's chain of trust.
• UI interaction tracking records detailed user habits without clear approval. - WebView adjustment exists, which could enable the app to gain access to personal external internet browser information when links are opened. More details about WebView manipulations is here
  
  Device Fingerprinting & Tracking
  
  A significant portion of the examined code appears to focus on event device-specific details, which can be utilized for tracking and fingerprinting.
  
  - The app collects different distinct gadget identifiers, consisting of UDID, Android ID, IMEI, IMSI, and carrier details.
• System homes, set up packages, and root detection mechanisms recommend possible anti-tampering procedures. E.g. probes for the presence of Magisk, a tool that privacy advocates and security researchers utilize to root their Android gadgets.
• Geolocation and network profiling are present, suggesting prospective tracking capabilities and enabling or disabling of fingerprinting routines by region. - Hardcoded gadget design lists suggest the application might act differently depending on the spotted hardware. - Multiple vendor-specific services are used to extract additional gadget details. E.g. if it can not determine the gadget through standard Android SIM lookup (due to the fact that approval was not given), it tries maker specific extensions to access the exact same details.
  
  Potential Malware-Like Behavior
  
  While no conclusive conclusions can be drawn without dynamic analysis, several observed behaviors line up with known spyware and malware patterns:
  
  - The app utilizes reflection and UI overlays, which could help with unapproved screen capture or phishing attacks.
• SIM card details, serial numbers, and other device-specific data are aggregated for unidentified purposes.
• The app executes country-based gain access to constraints and "risk-device" detection, recommending possible security systems.
• The app carries out calls to pack Dex modules, where extra code is packed from files with a.so extension at runtime.
• The.so submits themselves turn around and make extra calls to dlopen(), users.atw.hu which can be utilized to pack additional.so files. This center is not typically inspected by Google Play Protect and other fixed analysis services.
• The.so files can be executed in native code, such as C++. The use of native code adds a layer of complexity to the analysis procedure and obscures the complete extent of the app's abilities. Moreover, native code can be leveraged to more quickly intensify benefits, potentially exploiting vulnerabilities within the operating system or gadget hardware.
  
  Remarks
  
  While information collection prevails in modern applications for debugging and improving user experience, aggressive fingerprinting raises significant privacy issues. The DeepSeek app needs users to visit with a legitimate email, which should already supply adequate authentication. There is no valid factor for the app to strongly collect and transmit distinct gadget identifiers, IMEI numbers, SIM card details, and other non-resettable system properties.
  
  The extent of tracking observed here goes beyond typical analytics practices, potentially making it possible for relentless user tracking and re-identification throughout gadgets. These behaviors, combined with obfuscation methods and network communication with third-party tracking services, call for bytes-the-dust.com a higher level of analysis from security researchers and users alike.
  
  The work of runtime code packing as well as the bundling of native code suggests that the app could enable the implementation and execution of unreviewed, remotely delivered code. This is a major possible attack vector. No proof in this report is provided that remotely released code execution is being done, just that the center for this appears present.
  
  Additionally, the app's technique to finding rooted devices appears excessive for an AI chatbot. Root detection is typically warranted in DRM-protected streaming services, where security and content protection are important, or in competitive computer game to avoid unfaithful. However, there is no clear rationale for such strict steps in an application of this nature, raising more concerns about its intent.
  
  Users and organizations considering setting up DeepSeek ought to understand these potential risks. If this application is being used within a business or federal government environment, wavedream.wiki extra vetting and security controls should be implemented before allowing its deployment on managed devices.
  
  Disclaimer: The analysis provided in this report is based upon static code review and does not imply that all found functions are actively used. Further examination is needed for definitive conclusions.