Page: Static Analysis of The DeepSeek Android App

AI Starts to Assist India's Struggling Farms

Australia Bans DeepSeek aI Program On Government Devices

Bill Gates Issues Chilling Warning about the Future Of AI

Decrypt's Art, Fashion, And Entertainment Hub

DeepSeek: the Chinese aI Model That's a Tech Breakthrough and A Security Risk

DeepSeek Founder Says China aI will Stop Following U.S.

DeepSeek Just Insisted it's ChatGPT, and i Think that's all the Proof I Need

Elon Musk's Brand new DOGE Staffer Quits Over Racist Social Media Posts

How to Capitalize The 'Magnificent 7' Tech Stocks

How to Cash in on The 'Magnificent 7' Tech Stocks

Judge Says Elon Musk's Claims of Harm from OpenAI Are A 'stretch'.

Musk's Claim against OpenAI May go to Trial In Part, Judge Says

Musk Polls whether DOGE Staffer who made Racist Posts Ought to Return

OpenAI Looks across United States for Sites to Build Its Trump backed Stargate

Push to Ban DeepSeek from all United States Government owned Devices

Run DeepSeek R1 Locally with all 671 Billion Parameters

Sailing Bigger and Faster, SailGP Back where everything Began In Sydney

Sailing Bigger and Faster, SailGP Back where it all Began In Sydney

Schulman Left OpenAI in August 2025

Staggering Cost of Bronze Statue of Daniel Andrews In Melbourne

Static Analysis of The DeepSeek Android App

The Chinese aI Companies that Might Match DeepSeek's Impact

What is Artificial General Intelligence: A 2025 Beginner's Guide

HTTP

2 Static Analysis of The DeepSeek Android App

Agnes Holman edited this page 4 months ago

I carried out a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The objective was to identify prospective security and privacy issues.

I've discussed DeepSeek previously here.

Additional security and privacy concerns about DeepSeek have been raised.

See likewise this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on fixed analysis. This indicates that while the code exists within the app, wiki-tb-service.com there is no definitive evidence that all of it is carried out in practice. Nonetheless, the existence of such code warrants scrutiny, especially provided the growing concerns around information privacy, surveillance, the potential abuse of AI-driven applications, and cyber-espionage characteristics between global powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct data to external servers, raising concerns about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the iPhone app yesterday also.

• Bespoke encryption and information obfuscation approaches exist, with indications that they could be utilized to exfiltrate user details.
• The app contains hard-coded public keys, imoodle.win instead of depending on the user device's chain of trust.
• UI interaction tracking catches detailed user behavior without clear permission. - WebView manipulation is present, which might permit the app to gain access to private external web browser information when links are opened. More details about WebView adjustments is here
  
  Device Fingerprinting & Tracking
  
  A substantial part of the evaluated code appears to focus on event device-specific details, which can be used for tracking and fingerprinting.
  
  - The app gathers different unique gadget identifiers, consisting of UDID, Android ID, IMEI, IMSI, and carrier details.
• System homes, set up plans, and root detection mechanisms recommend possible anti-tampering steps. E.g. probes for the existence of Magisk, a tool that personal privacy supporters and security scientists utilize to root their Android devices.
• Geolocation and network profiling exist, showing prospective tracking capabilities and making it possible for or disabling of fingerprinting regimes by area.
• Hardcoded gadget design lists recommend the application may behave in a different way depending upon the detected hardware.
• Multiple vendor-specific services are utilized to draw out extra gadget details. E.g. if it can not determine the gadget through standard Android SIM lookup (since authorization was not granted), it tries maker specific extensions to access the exact same details.
  
  Potential Malware-Like Behavior
  
  While no conclusive conclusions can be drawn without dynamic analysis, numerous observed habits line up with recognized spyware and malware patterns:
  
  - The app uses reflection and UI overlays, which could help with unapproved screen capture or phishing attacks.
• SIM card details, demo.qkseo.in serial numbers, and other device-specific information are aggregated for unidentified functions.
• The app implements country-based gain access to constraints and "risk-device" detection, recommending possible monitoring systems.
• The app carries out calls to pack Dex modules, where additional code is loaded from files with a.so extension at runtime.
• The.so submits themselves reverse and make extra calls to dlopen(), which can be utilized to pack additional.so files. This center is not normally checked by Google Play Protect and other static analysis services.
• The.so files can be executed in native code, such as C++. Using native code includes a layer of complexity to the analysis procedure and obscures the full level of the app's capabilities. Moreover, native code can be leveraged to more easily escalate opportunities, possibly making use of vulnerabilities within the operating system or gadget hardware.
  
  Remarks
  
  While data collection prevails in modern-day applications for debugging and enhancing user experience, aggressive fingerprinting raises substantial privacy concerns. The DeepSeek app requires users to visit with a legitimate email, which must currently offer enough authentication. There is no valid factor for the app to aggressively collect and send special device identifiers, IMEI numbers, SIM card details, and other non-resettable system properties.
  
  The degree of tracking observed here goes beyond common analytics practices, possibly making it possible for persistent user tracking and re-identification throughout gadgets. These habits, integrated with obfuscation techniques and network interaction with third-party tracking services, require a greater level of analysis from security researchers and users alike.
  
  The employment of runtime code packing as well as the bundling of native code suggests that the app could enable the release and execution of unreviewed, remotely delivered code. This is a severe prospective attack vector. No evidence in this report exists that remotely released code execution is being done, just that the center for elearnportal.science this appears present.
  
  Additionally, the app's approach to spotting rooted devices appears extreme for an AI chatbot. Root detection is frequently justified in DRM-protected streaming services, where security and content protection are critical, or asteroidsathome.net in competitive computer game to avoid unfaithful. However, there is no clear reasoning for such rigorous steps in an application of this nature, raising additional concerns about its intent.
  
  Users and organizations considering installing DeepSeek ought to know these possible dangers. If this application is being utilized within an enterprise or government environment, extra vetting and security controls must be enforced before allowing its on handled devices.
  
  Disclaimer: The analysis presented in this report is based on fixed code evaluation and does not suggest that all identified functions are actively used. Further investigation is required for conclusive conclusions.