Static Analysis of The DeepSeek Android App

I conducted a fixed analysis of DeepSeek, a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The goal was to identify prospective security and privacy issues.

I have actually discussed DeepSeek formerly here.

Additional security and privacy concerns about DeepSeek have actually been raised.

See also this analysis by NowSecure of the iPhone version of DeepSeek

The findings detailed in this report are based purely on static analysis. This means that while the code exists within the app, there is no conclusive proof that all of it is executed in practice. Nonetheless, the existence of such code warrants examination, particularly offered the growing concerns around information personal privacy, security, the prospective abuse of AI-driven applications, and cyber-espionage characteristics between global powers.

Key Findings

Suspicious Data Handling & Exfiltration

– Hardcoded URLs direct data to external servers, raising concerns about user activity tracking, such as to ByteDance “volce.com” endpoints. NowSecure recognizes these in the iPhone app yesterday as well.
– Bespoke file encryption and information obfuscation approaches exist, with signs that they could be utilized to exfiltrate user details.
– The app contains hard-coded public secrets, rather than relying on the user gadget’s chain of trust.
– UI interaction tracking records detailed user without clear authorization.
– WebView control is present, which could permit for the app to gain access to personal external browser data when links are opened. More details about WebView manipulations is here

Device Fingerprinting & Tracking

A considerable part of the examined code appears to concentrate on event device-specific details, which can be utilized for tracking and fingerprinting.

– The app gathers numerous distinct gadget identifiers, consisting of UDID, Android ID, yogaasanas.science IMEI, IMSI, and carrier details.
– System residential or commercial properties, set up plans, and root detection mechanisms recommend possible anti-tampering measures. E.g. probes for the presence of Magisk, a tool that privacy supporters and security scientists utilize to root their Android devices.
– Geolocation and network profiling exist, showing possible tracking capabilities and allowing or disabling of fingerprinting regimes by region.
– Hardcoded gadget design lists suggest the application might behave differently depending upon the detected hardware.
– Multiple vendor-specific services are used to extract additional device details. E.g. if it can not identify the gadget through standard Android SIM lookup (because consent was not approved), it tries producer specific extensions to access the same details.

Potential Malware-Like Behavior

While no definitive conclusions can be drawn without vibrant analysis, a number of observed behaviors align with known spyware and malware patterns:

– The app utilizes reflection and UI overlays, which might facilitate unapproved screen capture or phishing attacks.
– SIM card details, serial numbers, and other device-specific data are aggregated for unknown purposes.
– The app carries out country-based gain access to constraints and “risk-device” detection, recommending possible security systems.
– The app carries out calls to load Dex modules, where extra code is loaded from files with a.so extension at runtime.
– The.so submits themselves turn around and make additional calls to dlopen(), which can be utilized to pack additional.so files. This facility is not typically examined by Google Play Protect and other fixed analysis services.
– The.so files can be carried out in native code, such as C++. The use of native code includes a layer of complexity to the analysis process and obscures the full level of the app’s capabilities. Moreover, native code can be leveraged to more quickly escalate opportunities, potentially exploiting vulnerabilities within the operating system or device hardware.

Remarks

While data collection prevails in modern applications for debugging and improving user experience, aggressive fingerprinting raises significant privacy issues. The DeepSeek app needs users to visit with a legitimate email, which must currently offer enough authentication. There is no valid factor for the app to strongly gather and send unique device identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.

The level of tracking observed here exceeds typical analytics practices, potentially allowing relentless user tracking and re-identification throughout devices. These habits, combined with obfuscation techniques and network communication with third-party tracking services, call for a higher level of examination from security researchers and users alike.

The employment of runtime code loading in addition to the bundling of native code recommends that the app might enable the deployment and execution of unreviewed, from another location delivered code. This is a serious potential attack vector. No proof in this report is provided that from another location released code execution is being done, just that the facility for this appears present.

Additionally, the app’s method to discovering rooted gadgets appears excessive for an AI chatbot. Root detection is often justified in DRM-protected streaming services, where security and content protection are important, or in competitive video games to avoid unfaithful. However, there is no clear rationale for such strict procedures in an application of this nature, raising more concerns about its intent.

Users and companies thinking about setting up DeepSeek should understand these potential threats. If this application is being used within a business or government environment, additional vetting and security controls should be imposed before enabling its release on handled gadgets.

Disclaimer: The analysis presented in this report is based on static code review and does not imply that all identified functions are actively utilized. Further examination is needed for definitive conclusions.