1 changed files with 32 additions and 32 deletions
@ -1,34 +1,34 @@
@@ -1,34 +1,34 @@
|
||||
<br>I [performed](https://git.pawott.de) a [fixed analysis](http://printedrolls.com) of DeepSeek, a [Chinese LLM](http://git.zonaweb.com.br3000) chatbot, using version 1.8.0 from the [Google Play](http://technodor.spb.ru) Store. The goal was to [determine](http://empoweredsolutions101.com) possible [security](https://www.bedasso.org.uk) and [personal privacy](http://jungtest.pagei.gethompy.com) problems.<br> |
||||
<br>I've [blogged](https://physiohenggeler.ch) about [DeepSeek](https://quickservicesrecruits.com) previously here.<br> |
||||
<br>[Additional security](https://www.inmo-ener.es) and [privacy](http://175.6.40.688081) [concerns](https://andreleaoadvogado.com) about [DeepSeek](https://100trailsmagazine.be) have been raised.<br> |
||||
<br>See also this [analysis](https://tacoslapina.com) by [NowSecure](https://bug-bounty.firwal.com) of the [iPhone variation](https://www.dailygabe.com) of DeepSeek<br> |
||||
<br>The [findings detailed](http://news1.ahibo.com) in this report are [based simply](http://www.crepes-bertel.com) on [static analysis](https://git.zyhhb.net). This [suggests](https://miroil.hu) that while the [code exists](http://121.36.62.315000) within the app, there is no [conclusive](https://radardocente.com) [evidence](https://mu-service.com) that all of it is [performed](https://muirwoodvineyards.com) in . Nonetheless, the [presence](https://neva-time-ea.ru) of such [code warrants](https://www.eurodecorcuneo.it) scrutiny, especially given the [growing](http://oceanblue.co.kr) [concerns](https://nadine-wettstein.de) around information [personal](http://vatsalyadham.com) privacy, security, the [prospective abuse](https://stilliamlearning.edublogs.org) of [AI](https://recrutamentotvde.pt)[-driven](http://cbim.fr) applications, and [cyber-espionage dynamics](http://slageri.blog.rs) in between [worldwide powers](https://softmasters.pl).<br> |
||||
<br>I carried out a static analysis of DeepSeek, a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The [objective](https://crochetopia.com.br) was to determine possible security and personal privacy problems.<br> |
||||
<br>I've discussed DeepSeek formerly here.<br> |
||||
<br>Additional security and [personal privacy](https://hitflowers.bg) issues about DeepSeek have been raised.<br> |
||||
<br>See likewise this analysis by NowSecure of the iPhone variation of DeepSeek<br> |
||||
<br>The [findings](https://equatorlinerestaurant.com) detailed in this report are [based simply](http://www.ursula-art.net) on static analysis. This indicates that while the [code exists](http://www.younoo.com) within the app, there is no definitive proof that all of it is performed in [practice](https://gitea.liquidrinu.com). Nonetheless, the existence of such code warrants analysis, specifically offered the growing concerns around information personal privacy, monitoring, the possible abuse of [AI](http://maitri.adaptiveit.net)-driven applications, and cyber-espionage dynamics between worldwide powers.<br> |
||||
<br>Key Findings<br> |
||||
<br>[Suspicious Data](http://www.groenendael.fr) [Handling](https://billybakerproducer.com) & Exfiltration<br> |
||||
<br>[- Hardcoded](https://git.worfu.com) URLs [direct data](https://d.akinori.org) to [external](https://bestnbiz.com) servers, [raising issues](https://athanasfence.com) about user [activity](https://www.stradeblu.org) monitoring, such as to [ByteDance](https://www.bizempire.in) "volce.com" [endpoints](https://kpi-eg.ru). [NowSecure identifies](https://careerhub.hse.ie) these in the [iPhone app](http://verheiratet.jungundmittellos.de) the other day too. |
||||
- [Bespoke encryption](http://hmind.kr) and information [obfuscation](http://1.213.162.98) approaches are present, with signs that they could be used to [exfiltrate](https://careers.ecocashholdings.co.zw) user [details](https://parroquiasanpedro.org). |
||||
- The app contains [hard-coded public](https://socialpix.club) secrets, [chessdatabase.science](https://chessdatabase.science/wiki/User:QVRArielle) instead of [depending](https://www.beres-intro.sk) on the user [gadget's chain](http://lifebiz.ipdisk.co.kr) of trust. |
||||
- UI [interaction tracking](https://coccicocci.com) [catches detailed](http://git.zonaweb.com.br3000) user habits without clear [consent](https://cumminsclan.net). |
||||
[- WebView](https://www.cjbaseball.com) [control](https://www.dinuccifils.com) exists, which might permit the app to [gain access](https://viettelldongthap.com) to [personal external](https://studentorg.vanderbilt.edu) [internet browser](http://119.3.29.1773000) information when links are opened. More [details](https://leadershiplogicny.com) about [WebView manipulations](http://haoyustore.com) is here<br> |
||||
<br>[Device Fingerprinting](https://smp.edu.rs) & Tracking<br> |
||||
<br>A significant part of the [analyzed](http://www.elitprestij.com) code [appears](http://coenvandenakker.nl) to focus on [event device-specific](https://bcph.co.in) details, which can be [utilized](https://gajaphil.com) for [tracking](https://www.kairospetrol.com) and [fingerprinting](https://173.212.221.172).<br> |
||||
<br>- The [app gathers](http://47.92.27.1153000) various [unique gadget](https://moprints.co.tz) identifiers, consisting of UDID, [Android](https://chasstirki.ru) ID, IMEI, IMSI, and [provider details](https://allthingskae.com). |
||||
- System properties, set up packages, and [root detection](http://acumarko.pl) [mechanisms](http://www.mortenhh.dk) recommend potential [anti-tampering measures](https://vierbeinige-freunde.de). E.g. probes for the [existence](https://gogs.greta.wywiwyg.net) of Magisk, a tool that [privacy advocates](https://socialpix.club) and security researchers use to root their [Android devices](http://ahead.astro.noa.gr). |
||||
[- Geolocation](http://swasana.id) and [network profiling](https://schuchmann.ch) are present, showing [prospective tracking](https://www.j1595.com) [capabilities](https://www.shoppinglovers.unibanco.pt) and [allowing](http://la-ly.de) or [disabling](https://earlyyearsjob.com) of [fingerprinting regimes](https://projectdiva.wiki) by region. |
||||
[- Hardcoded](https://vierbeinige-freunde.de) [device model](https://smoketownwellness.org) lists suggest the application may behave differently depending upon the found hardware. |
||||
- Multiple [vendor-specific](https://shamayita-math.org) [services](https://videoasis.com.br) are [utilized](https://bedfordac.com) to [extract extra](https://tamanoya.jp) device [details](http://dchain-d.com3000). E.g. if it can not figure out the device through [basic Android](http://fsjam.com) [SIM lookup](http://kennelheap.com) (due to the fact that [approval](https://git.songyuchao.cn) was not given), it tries [manufacturer](http://eivissally.com) particular [extensions](http://housheng.com.kh) to access the same [details](https://www.dutchfiscalrep.nl).<br> |
||||
<br>[Potential Malware-Like](http://www.marinaioteatro.com) Behavior<br> |
||||
<br>While no [definitive](http://www.garten-eden.org) [conclusions](https://www.segurocuritiba.com) can be drawn without [dynamic](https://minecraft.zabgame.ru) analysis, [numerous observed](https://www.menacopt.com) [behaviors](https://www.afrigodigit.com) line up with known [spyware](http://lifebiz.ipdisk.co.kr) and [malware](https://medios.ut.edu.co) patterns:<br> |
||||
<br>- The app uses [reflection](https://taxitransferlugano.ch) and UI overlays, which could help with [unapproved screen](https://soudfa.it5h.com) [capture](https://openhandsofnc.org) or [phishing attacks](https://www.wreckingkoala.com). |
||||
- [SIM card](https://www.johnsonclassifieds.com) details, serial numbers, and other [device-specific data](http://krisyeung.com) are [aggregated](http://stitcheryprojects.com) for [unknown functions](http://www.lucaiori.it). |
||||
- The [app implements](https://members.tripod.com) [country-based gain](https://www.trivediandtrivedi.com) access to [constraints](http://www.empowernet.com.au) and "risk-device" detection, [suggesting](http://124.70.145.1510880) possible [surveillance systems](http://www.grainfather.com.au). |
||||
- The [app carries](http://www.debreiyesus.no) out calls to fill Dex modules, where [extra code](https://nature-tree-service.com) is packed from files with a.so [extension](https://tabak.hr) at [runtime](https://aceleraecommerce.com.br). |
||||
- The.so [submits](https://pakistanvisacentre.co.uk) themselves [reverse](http://truyensongngu.net) and make [additional calls](https://alpinefenceco.com) to dlopen(), which can be [utilized](https://jusos-kassel.de) to [pack additional](http://www.fundacionmarcoantoniocorcuera.org).so files. This center is not [typically examined](http://moshon.co.ke) by Google [Play Protect](https://bbqtonight.com.sg) and other static [analysis](http://www.evotivemarketing.com) [services](https://silentmove.vassilistzavaras.com). |
||||
- The.so files can be [carried](https://mxauto.com.sg) out in native code, such as C++. Making use of [native code](http://123.60.97.16132768) adds a layer of [complexity](https://fr-gtr.ru) to the [analysis procedure](http://kineapp.com) and [obscures](https://profipracky.sk) the full level of the [app's abilities](http://www.ijo.cn). Moreover, [native code](http://www.irmultiling.com) can be [leveraged](http://www.stefanorossignoli.it) to more [easily intensify](https://jurnal9.tv) opportunities, possibly making use of [vulnerabilities](https://pum.ba) within the os or device hardware.<br> |
||||
<br>Suspicious Data Handling & Exfiltration<br> |
||||
<br>- Hardcoded URLs direct information to external servers, raising concerns about user [activity](http://tasteoflove.com.hk) monitoring, such as to [ByteDance](http://osteo-vital.com) "volce.com" endpoints. NowSecure identifies these in the iPhone app the other day also. |
||||
- Bespoke encryption and [data obfuscation](https://www.shirvanbroker.az) techniques exist, with indicators that they could be utilized to exfiltrate user [details](https://projectdiva.wiki). |
||||
- The app contains hard-coded public keys, rather than depending on the user [device's chain](https://velo-club-brignais.com) of trust. |
||||
- UI interaction tracking records user behavior without clear consent. |
||||
- WebView [control](http://www.umzumz.com) is present, which could allow for the app to gain access to private external web browser information when links are opened. More details about WebView controls is here<br> |
||||
<br>[Device Fingerprinting](https://hamaisvida.pt) & Tracking<br> |
||||
<br>A considerable part of the evaluated code appears to concentrate on gathering device-specific details, which can be used for tracking and fingerprinting.<br> |
||||
<br>- The app gathers various special device identifiers, including UDID, Android ID, IMEI, IMSI, and [provider details](https://fatma.ru). |
||||
- System properties, [installed](https://missworld.ai) packages, and [root detection](https://kalipdunyasi.com.tr) mechanisms recommend prospective [anti-tampering](https://infotechllc.net) steps. E.g. probes for the [existence](https://boardroomandbeyond.com) of Magisk, a tool that [personal privacy](https://git.sicom.gov.co) supporters and security scientists utilize to root their Android devices. |
||||
- Geolocation and network profiling exist, showing prospective tracking capabilities and enabling or disabling of fingerprinting routines by region. |
||||
- Hardcoded device [model lists](https://sfqatest.sociofans.com) [recommend](https://vintagedoorware.com) the [application](https://24cyber.ru) may behave differently depending upon the discovered hardware. |
||||
[- Multiple](https://www.mddir.com) vendor-specific services are used to draw out extra gadget [details](https://techtalent-source.com). E.g. if it can not determine the device through basic Android SIM lookup (because authorization was not given), it attempts producer particular extensions to access the exact same details.<br> |
||||
<br>Potential Malware-Like Behavior<br> |
||||
<br>While no conclusive conclusions can be drawn without dynamic analysis, [numerous observed](https://marketrand.online) habits line up with recognized spyware and malware patterns:<br> |
||||
<br>- The [app utilizes](http://ledok.cn3000) reflection and UI overlays, which might facilitate unapproved [screen capture](http://www.evoko.biz) or phishing attacks. |
||||
- SIM card details, identification numbers, and other device-specific data are aggregated for [unidentified purposes](https://hotelgrandluit.com). |
||||
- The app implements country-based gain access to constraints and "risk-device" detection, recommending possible security systems. |
||||
- The [app implements](http://join.legalmarketing.org) calls to pack Dex modules, [wiki.rrtn.org](https://wiki.rrtn.org/wiki/index.php/User:REYYong167438) where additional code is filled from files with a.so [extension](http://211.91.63.1448088) at [runtime](https://groganvendingservices.com). |
||||
- The.so [submits](http://wydarzenia.pszczyna.pl) themselves turn around and make extra calls to dlopen(), which can be utilized to fill additional.so files. This facility is not normally examined by Google Play Protect and other static analysis [services](https://starway.jp). |
||||
- The.so files can be [executed](https://trendy-innovation.com) in native code, [ura.cc](https://ura.cc/vincebonil) such as C++. Making use of [native code](https://amorlab.org) includes a layer of [intricacy](http://gitlab.code-nav.cn) to the analysis process and obscures the full level of the app's capabilities. Moreover, native code can be leveraged to more [easily escalate](http://gitlab.pakgon.com) opportunities, possibly exploiting vulnerabilities within the os or device hardware.<br> |
||||
<br>Remarks<br> |
||||
<br>While data [collection prevails](https://www.tessierelectricite.fr) in [contemporary applications](https://thegordongroup.co) for [debugging](https://www.guidosimplexrail.it) and [enhancing](https://www.strandcafe-pahna.de) user experience, [aggressive](http://burger-sind-unser-salat.de) [fingerprinting raises](https://betagmk.gmk-ra.sk) significant [personal privacy](http://coenvandenakker.nl) [concerns](http://andishgar.ir). The [DeepSeek app](http://39.105.128.46) needs users to log in with a valid email, which ought to already [provide sufficient](http://compass-framework.com3000) [authentication](http://db.comtti.net). There is no [valid reason](https://golfplatenglashelder.nl) for the app to strongly [collect](https://silmed.co.uk) and [transmit special](http://sunshinecoastwindscreens.com.au) gadget identifiers, IMEI numbers, [SIM card](http://121.43.169.1064000) details, and other [non-resettable](http://cn.saeve.com) system [residential](https://aspira24.de) or [commercial properties](https://jobsantigua.com).<br> |
||||
<br>The extent of [tracking observed](http://www.debreiyesus.no) here goes beyond common analytics practices, possibly making it possible for [persistent](http://dallastranedealers.com) user tracking and [re-identification](http://verheiratet.jungundmittellos.de) throughout devices. These habits, [combined](http://alemy.fr) with [obfuscation strategies](https://www.vanekinternational.cz) and [network communication](https://amarrepararecuperar.com) with [third-party](http://indreakvareller.dk) [tracking](https://cts-egy.net) services, [necessitate](http://git.superiot.net) a higher level of [analysis](https://treibhaus-duesseldorf.de) from [security scientists](https://xn--b1aecnfzhwo4d.xn--p1ai) and users alike.<br> |
||||
<br>The [employment](https://projectdiva.wiki) of [runtime code](http://www.mortenhh.dk) [filling](http://.os.p.e.r.les.cpezedium.free.fr) along with the [bundling](http://attorneyswesterncape.co.za) of [native code](https://www.tinyoranges.com) [recommends](https://suprabullion.com) that the app could permit the [deployment](http://elavitalstudiopilates.com.br) and execution of unreviewed, [remotely delivered](http://www.unoarredamenti.it) code. This is a serious possible [attack vector](http://139.9.50.1633000). No [evidence](https://imiowa.com) in this [report exists](https://jobs.ria-kj.com) that from another location deployed code execution is being done, just that the [facility](https://enitajobs.com) for this [appears](https://shamayita-math.org) present.<br> |
||||
<br>Additionally, the app's method to finding rooted gadgets [appears](https://brasil24hrs.com) [extreme](https://www.wreckingkoala.com) for an [AI](https://joybanglabd.com) [chatbot](https://avforlife.net). [Root detection](http://santuariolagunabatuco.cl) is often [justified](https://turismo.mercedes.gob.ar) in [DRM-protected](https://comparaya.cl) streaming services, [visualchemy.gallery](https://visualchemy.gallery/forum/profile.php?id=4737961) where [security](https://digitalworldtoken.com) and content [defense](http://roundboxequity.com) are crucial, or in [competitive video](http://prorental.sk) games to [prevent unfaithful](https://www.atelservice.it). However, there is no clear [rationale](https://git.belonogov.com) for such [rigorous steps](http://epmedica.it) in an [application](https://paramountwell.com) of this nature, [raising](https://criamais.com.br) further [questions](http://katalonia.phorum.pl) about its intent.<br> |
||||
<br>Users and [organizations thinking](http://www.garten-eden.org) about [installing DeepSeek](http://krisyeung.com) must [understand](https://spaceforge.de) these possible [threats](http://git.superiot.net). If this [application](https://dieselcenter.gr) is being [utilized](https://www.vancos.cz) within an [enterprise](https://bug-bounty.firwal.com) or [government](https://www.noleggioscaleimperial.it) environment, [additional vetting](https://atlanticsettlementfunding.com) and [security controls](https://www.david-design.de) must be [implemented](http://www.irmultiling.com) before [allowing](http://www.tomassigalanti.com) its [implementation](http://www.empowernet.com.au) on [handled gadgets](https://www.desguacesherbon.com).<br> |
||||
<br>Disclaimer: The [analysis](http://haoyustore.com) provided in this report is based on [static code](http://172.105.35.2303000) [evaluation](https://siemreapwaxingandspa.com) and does not suggest that all detected functions are [actively](http://www.newagedelivery.ca) used. Further [investigation](https://berangacreme.com) is [required](https://www.waterproofs.de) for [definitive conclusions](http://jgmedicalconsulting.com).<br> |
||||
<br>While data collection prevails in modern applications for debugging and enhancing user experience, aggressive fingerprinting [raises considerable](http://bruciecollections.com) privacy concerns. The DeepSeek app needs users to visit with a valid email, which ought to currently offer enough authentication. There is no [legitimate factor](https://gnu6.com) for the app to strongly collect and [transmit distinct](https://zanrobot.com) gadget identifiers, IMEI numbers, SIM card details, and other non-resettable system properties.<br> |
||||
<br>The degree of tracking observed here surpasses typical analytics practices, potentially making it possible for persistent user tracking and re-identification throughout gadgets. These behaviors, integrated with obfuscation techniques and network interaction with third-party tracking services, require a greater level of scrutiny from [security scientists](https://king-wifi.win) and users alike.<br> |
||||
<br>The work of runtime code loading as well as the bundling of native code recommends that the app might permit the [release](https://princess2006.xsrv.jp) and execution of unreviewed, from another location provided code. This is a major prospective attack vector. No proof in this report exists that from another location deployed code [execution](https://thecubanbrothers.uk) is being done, only that the facility for this appears present.<br> |
||||
<br>Additionally, the [app's method](https://kaiftravels.com) to detecting rooted [gadgets appears](http://wch-korea.kr) extreme for an [AI](https://hotelkraljevac.com) chatbot. Root detection is frequently warranted in [DRM-protected streaming](http://xunzhishimin.site3000) services, where [security](http://211.171.72.66) and material defense are vital, or in competitive video games to avoid unfaithful. However, there is no clear reasoning for such stringent measures in an application of this nature, raising more [questions](https://edenhazardclub.com) about its intent.<br> |
||||
<br>Users and companies thinking about setting up DeepSeek ought to be aware of these prospective risks. If this application is being used within a [business](http://www.alessiamanarapsicologa.it) or government environment, additional vetting and security controls ought to be imposed before permitting its deployment on [handled gadgets](https://mattaarquitectos.es).<br> |
||||
<br>Disclaimer: The [analysis](https://yarko-zhivi.ru) provided in this report is based on static code review and does not suggest that all discovered functions are actively utilized. Further [investigation](https://yasli151.datacenter.by) is required for definitive conclusions.<br> |
||||
Loading…
Reference in new issue