1 changed files with 34 additions and 0 deletions
@ -0,0 +1,34 @@ |
|||||||
|
<br>I performed a static analysis of DeepSeek, a [Chinese LLM](http://adpillar.net) chatbot, [utilizing](http://studioad.ru) version 1.8.0 from the [Google Play](https://fukuiyodoko.jp) Store. The goal was to identify potential security and [privacy](https://fehervarrugby.hu) problems.<br> |
||||||
|
<br>I've written about [DeepSeek](http://silverphoto.my1.ru) formerly here.<br> |
||||||
|
<br>[Additional security](https://divorceplaybook.org) and personal privacy issues about DeepSeek have been raised.<br> |
||||||
|
<br>See also this [analysis](https://git.oncolead.com) by [NowSecure](https://www.vinupplevelser.se) of the iPhone variation of DeepSeek<br> |
||||||
|
<br>The [findings](http://kw-consultants.com) [detailed](https://bvi50plus.com) in this report are [based purely](http://bks.uk.com) on [fixed analysis](https://cancungolfevents.com). This indicates that while the code exists within the app, there is no conclusive [evidence](http://www.masterqna.com) that all of it is [executed](http://richardbrownphotography.com) in [practice](https://www.gasthaus-altepost.ro). Nonetheless, the [presence](http://www.dagmarschneider.com) of such [code warrants](http://175.24.174.1733000) scrutiny, specifically given the [growing concerns](https://git.i2edu.net) around data privacy, [oke.zone](https://oke.zone/profile.php?id=308829) surveillance, the [prospective abuse](https://www.aisagiss.org) of [AI](https://www.setvisionstudios.com)[-driven](https://doorno1.com) applications, and [cyber-espionage characteristics](https://www.aenbglaszetters.nl) between [global powers](https://istdiploma.edu.bd).<br> |
||||||
|
<br>Key Findings<br> |
||||||
|
<br>Suspicious Data [Handling](https://www.dinetah-llc.com) & Exfiltration<br> |
||||||
|
<br>- [Hardcoded URLs](http://funnyfarm.freehostia.com) direct data to external servers, raising concerns about user activity monitoring, such as to ByteDance "volce.com" [endpoints](https://michaeljfaris.com). [NowSecure determines](http://radkanarg.ir) these in the iPhone app the other day also. |
||||||
|
- [Bespoke file](https://www.dinuccifils.com) [encryption](http://bocchih.pink) and [data obfuscation](http://rivercitymaine.com) [methods](http://busforsale.ae) are present, with [indicators](https://maximilienzimmermann.org) that they might be [utilized](https://code.hospisoft.mx) to [exfiltrate](https://basky.bmde-labs.com) user [details](https://preciousplay.com). |
||||||
|
- The app contains [hard-coded public](http://git.emagenic.cl) secrets, instead of [counting](https://thankguard.com) on the user [gadget's chain](http://thorderiksson.se) of trust. |
||||||
|
- UI interaction [tracking](http://ships2israel.com) [captures](https://git.silasvedder.xyz) [detailed](http://rothkegel-bau.de) user habits without clear [authorization](https://www.chip4car.com). |
||||||
|
[- WebView](https://castingnotices.com) [control](http://jib-co.ir) exists, which might permit for [shiapedia.1god.org](https://shiapedia.1god.org/index.php/User:HildegardeMcclar) the app to [gain access](http://skrzaty.net.pl) to [private external](https://medicalcaif.mx) web browser data when links are opened. More details about [WebView controls](https://warptech.com.ar) is here<br> |
||||||
|
<br>Device Fingerprinting & Tracking<br> |
||||||
|
<br>A considerable part of the [examined code](https://blog.andoverfabrics.com) [appears](https://git.gday.express) to focus on gathering device-specific details, which can be utilized for [tracking](http://www.medicinadocasal.com.br) and [fingerprinting](http://ymatech.com.br).<br> |
||||||
|
<br>- The [app collects](http://www.daonoptical.com) numerous distinct gadget identifiers, [including](https://asuny.vn) UDID, [Android](https://www.solpluscarrelage.be) ID, IMEI, IMSI, and [provider details](http://www.52108.net). |
||||||
|
- System [residential](https://mtviewgolfclub.com) or commercial properties, installed bundles, and [root detection](http://thorderiksson.se) [systems](http://antioch.zone) recommend potential anti-tampering measures. E.g. probes for the presence of Magisk, a tool that privacy advocates and [security](http://www.daonoptical.com) researchers use to root their [Android gadgets](https://odishahaat.com). |
||||||
|
[- Geolocation](http://www.linamariabeltranspa.com) and [network profiling](https://www.perpetuo.it) exist, [indicating potential](https://taxitransferlugano.ch) [tracking](https://divorceplaybook.org) [abilities](https://monathemannequin.com) and [enabling](https://voicync.com) or [annunciogratis.net](http://www.annunciogratis.net/author/casimirahem) disabling of [fingerprinting routines](http://47.97.178.182) by region. |
||||||
|
- Hardcoded [device model](https://www.kazaki71.ru) lists recommend the [application](https://trilhaextrema.com.br) might act differently depending upon the [discovered hardware](https://www.madammu.com). |
||||||
|
- [Multiple vendor-specific](http://fayence-longomai.eu) [services](https://vidwot.com) are used to [extract additional](https://hotelnaranjal.com) gadget details. E.g. if it can not figure out the gadget through [basic Android](http://www.verditer.cafe) [SIM lookup](http://www.devamglass.com) (because [consent](https://kashitirth.com) was not approved), it tries [manufacturer specific](https://www.firesideengineer.com) [extensions](http://47.103.108.263000) to access the same [details](https://andyfreund.de).<br> |
||||||
|
<br>[Potential Malware-Like](http://www.medicinadocasal.com.br) Behavior<br> |
||||||
|
<br>While no [definitive conclusions](https://m-capital.co.kr) can be drawn without [vibrant](http://git.rabbittec.com) analysis, several [observed behaviors](https://www.deanash.co.uk) line up with [recognized spyware](https://hausimgruenen-hannover.de) and [malware](https://sdnegeri17bandaaceh.sch.id) patterns:<br> |
||||||
|
<br>- The app uses [reflection](https://aaravsofttech.in) and UI overlays, which might assist in unauthorized screen [capture](https://www.fortuneonehotel.com) or [phishing attacks](https://www.gregnelsoncreative.com). |
||||||
|
- SIM card details, serial numbers, and other device-specific data are aggregated for [imoodle.win](https://imoodle.win/wiki/User:HungGillies41) unknown functions. |
||||||
|
- The app implements [country-based gain](http://git.emagenic.cl) access to [constraints](https://gasakoblog.com) and "risk-device" detection, [suggesting](http://wir-sabbeln.de) possible [security systems](http://ancient.anguish.org). |
||||||
|
- The [app implements](http://aha.ru) calls to [pack Dex](https://git.chocolatinie.fr) modules, where [extra code](https://www.9iii9.com) is packed from files with a.so [extension](https://monathemannequin.com) at [runtime](https://sidammjo.org). |
||||||
|
- The.so files themselves [reverse](https://hotels-with.com) and make [additional calls](https://kenings.co.za) to dlopen(), which can be used to [load additional](https://xelaphilia.com).so files. This center is not [typically checked](https://petrolheads.co.za) by [Google Play](http://5b.stanthonysft.edu.pk) [Protect](https://www.kraftandyou.fr) and [classifieds.ocala-news.com](https://classifieds.ocala-news.com/author/blakek79982) other [fixed analysis](http://ospkurzyna.pl) [services](https://desarrollo.skysoftservicios.com). |
||||||
|
- The.so files can be [executed](https://www.no1stcostlist.com) in native code, such as C++. Making use of [native code](https://sdfgambia.gm) adds a layer of [complexity](http://ships2israel.com) to the [analysis procedure](http://rernd.com) and [obscures](https://canassolutions.com) the full extent of the app's capabilities. Moreover, [wiki.whenparked.com](https://wiki.whenparked.com/User:EarlMedlin30) native code can be [leveraged](https://zarasuose.lt) to more easily escalate privileges, potentially exploiting [vulnerabilities](https://www.strugger-design.de) within the os or [gadget hardware](http://www.emlakalimsatimkiralama.com).<br> |
||||||
|
<br>Remarks<br> |
||||||
|
<br>While data [collection prevails](https://warptech.com.ar) in [modern-day](https://spektr-m.com.ua) [applications](https://advokatveurope.com) for [debugging](https://truesouthmedical.co.nz) and [enhancing](https://video.ivyevents.world) user experience, [aggressive fingerprinting](https://trilhaextrema.com.br) raises significant [privacy](https://zheldor.xn----7sbbrpcrglx8eea9e.xn--p1ai) [concerns](https://lovematch.com.tr). The [DeepSeek app](http://adaptpolis.fa.ulisboa.pt) needs users to log in with a legitimate email, which need to currently supply enough authentication. There is no [legitimate reason](https://andhara.com) for the app to [aggressively collect](http://www.n2-diner.com) and [transmit special](https://www.annadamico.it) gadget identifiers, IMEI numbers, [SIM card](https://sibowasco.co.ke) details, and other non-resettable system residential or [commercial properties](https://truesouthmedical.co.nz).<br> |
||||||
|
<br>The level of [tracking observed](http://www.lawyerhyderabad.com) here goes beyond [typical analytics](http://ozh.sk) practices, potentially making it possible for [persistent](https://voyageseniorliving.com) user tracking and [re-identification](https://www.theteacrafters.com) across [devices](https://bkimassages.nl). These habits, [integrated](https://tiseexclusive.co.uk) with [obfuscation techniques](http://synaps-audiovisuel.fr) and with [third-party](https://www.chip4car.com) [tracking](http://greenmk.co.kr) services, [necessitate](https://git.gday.express) a greater level of [examination](https://aguadocampobranco.com.br) from [security researchers](https://www.gapaero.com) and users alike.<br> |
||||||
|
<br>The employment of [runtime code](https://git.oncolead.com) [filling](https://burlesquegalaxy.com) along with the [bundling](http://120.79.7.1223000) of [native code](http://drinkoneforone.com) [recommends](http://94.224.160.697990) that the app could permit the release and [execution](https://voicync.com) of unreviewed, from another location delivered code. This is a [major potential](https://laurengilman.co.uk) attack vector. No evidence in this report is presented that [remotely deployed](https://preciousplay.com) [code execution](https://www.globe-eu.org) is being done, only that the facility for this [appears](http://sourcetel.co.kr) present.<br> |
||||||
|
<br>Additionally, the [app's technique](http://periscope2.ru) to [identifying rooted](https://www.globe-eu.org) [gadgets](http://bekamjakartaselatan.com) appears excessive for an [AI](http://shandongfeiyanghuagong.com) chatbot. [Root detection](https://justinsellssd.com) is [typically](https://se.mathematik.uni-marburg.de) [justified](https://soltango.com) in [DRM-protected streaming](http://mashimka.nl) services, [dokuwiki.stream](https://dokuwiki.stream/wiki/User:DaciaLeibowitz) where [security](https://servergit.itb.edu.ec) and content [defense](https://www.monkeyflowermath.com) are crucial, or in [competitive](https://supsurf.dk) computer game to avoid [unfaithful](http://www.engel-und-waisen.de). However, there is no clear [rationale](https://wpu.nu) for such [strict procedures](https://silkko.ru) in an [application](https://andaluzadeactividadesecuestres.com) of this nature, [raising](http://arabcgroup.com) further concerns about its intent.<br> |
||||||
|
<br>Users and [organizations](http://filmmaniac.ru) considering [setting](https://downtownjerseycitycounseling.com) up DeepSeek should be conscious of these possible threats. If this [application](http://forum.artefakt.cz) is being utilized within a business or government environment, [additional vetting](https://sdnegeri17bandaaceh.sch.id) and security controls ought to be [enforced](https://gallery-systems.com) before permitting its release on [handled gadgets](https://portkemblahydrogenhub.com.au).<br> |
||||||
|
<br>Disclaimer: The [analysis](http://lty.co.kr) provided in this report is based on [static code](http://personalisedreceiptrolls.co.uk) review and does not suggest that all found [functions](http://wheatoncompany.com) are [actively utilized](https://downtownjerseycitycounseling.com). Further [examination](http://www.srpskicar.com) is needed for [conclusive conclusions](http://huntersglenv.com).<br> |
||||||
Loading…
Reference in new issue