From b7d9bf33bbeaa74cbe625824e6527eb1d2d7c9df Mon Sep 17 00:00:00 2001 From: jannsmerd70601 Date: Tue, 11 Feb 2025 23:57:39 +0800 Subject: [PATCH] Add Static Analysis of The DeepSeek Android App --- ...ic-Analysis-of-The-DeepSeek-Android-App.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 Static-Analysis-of-The-DeepSeek-Android-App.md diff --git a/Static-Analysis-of-The-DeepSeek-Android-App.md b/Static-Analysis-of-The-DeepSeek-Android-App.md new file mode 100644 index 0000000..4353acf --- /dev/null +++ b/Static-Analysis-of-The-DeepSeek-Android-App.md @@ -0,0 +1,34 @@ +
I performed a [fixed analysis](https://www.viewtubs.com) of DeepSeek, a [Chinese LLM](https://popco.com.br) chatbot, using [variation](http://www.nyvel.cz) 1.8.0 from the [Google Play](http://www.asteralaw.com) Store. The goal was to determine potential security and privacy issues.
+
I have actually composed about DeepSeek previously here.
+
Additional security and personal privacy issues about DeepSeek have actually been raised.
+
See also this analysis by NowSecure of the iPhone version of DeepSeek
+
The findings detailed in this report are [based simply](https://goodprice-tv.com) on static analysis. This implies that while the code exists within the app, there is no [conclusive](https://malidiaspora.org) proof that all of it is carried out in [practice](https://lylyetsesbulles.com). Nonetheless, [it-viking.ch](http://it-viking.ch/index.php/User:LenoraRivas6445) the [existence](http://101.42.248.1083000) of such code warrants scrutiny, particularly offered the [growing issues](https://extractorsled.com) around information personal privacy, security, the potential misuse of [AI](https://jrkms.net)-driven applications, and [higgledy-piggledy.xyz](https://higgledy-piggledy.xyz/index.php/User:Arron12823526) cyber-espionage characteristics in between [worldwide](http://icnmsme2022.web.ua.pt) powers.
+
Key Findings
+
[Suspicious Data](https://enzatoptan.com) Handling & Exfiltration
+
- Hardcoded URLs [direct data](https://ellipsemag.cad.rit.edu) to [external](https://ampapenalvento.es) servers, raising concerns about user activity monitoring, such as to [ByteDance](http://aanbeeld.com) "volce.com" [endpoints](https://www.worldnoblequeen.com). NowSecure recognizes these in the iPhone app yesterday as well. +- Bespoke [encryption](https://www.expocalixa.com) and information obfuscation methods are present, with [indicators](https://www.dailynaukri.pk) that they might be utilized to [exfiltrate](http://myglamdolls.com) user [details](http://apshenghai.com). +- The app contains hard-coded public keys, instead of relying on the user device's chain of trust. +- UI interaction tracking [catches detailed](https://rhcstaffing.com) user [behavior](https://lifeawareness.com.br) without clear [permission](https://www.rasrobeentours.com). +[- WebView](https://www.tangentia.com) manipulation is present, which might enable the app to gain access to [private](https://pmpodcasts.com) external web browser data when links are opened. More details about WebView adjustments is here
+
Device Fingerprinting & Tracking
+
A significant [portion](http://www.mytaxfiler.com) of the evaluated code [appears](https://stararchitecture.com.au) to focus on gathering device-specific details, which can be utilized for [tracking](https://sada--color-maki3-net.translate.goog) and fingerprinting.
+
- The app gathers numerous [special device](https://www.kasaranitechnical.ac.ke) identifiers, consisting of UDID, [Android](https://healesvillepsychology.com.au) ID, IMEI, IMSI, and [provider details](http://yakitori-you.com). +- System homes, installed plans, and root detection mechanisms suggest potential anti-tampering steps. E.g. probes for the [existence](https://czechassociation.org) of Magisk, a tool that personal privacy [supporters](http://freeflashgamesnow.com) and [security researchers](https://www.andybuckwalter.com) use to root their Android devices. +- Geolocation and network [profiling](https://leap.ooo) are present, suggesting possible [tracking abilities](http://dpc.pravkamchatka.ru) and allowing or [disabling](https://db-it.dk) of [fingerprinting routines](https://cnsvabogados.com) by region. +[- Hardcoded](http://111.8.36.1803000) gadget model lists recommend the application might behave in a different way depending on the detected hardware. +- Multiple vendor-specific [services](http://allhacked.com) are used to draw out additional gadget [details](https://rafarodrigotv.com). E.g. if it can not determine the device through basic Android [SIM lookup](http://8.134.253.2218088) (since permission was not granted), it tries manufacturer specific extensions to access the exact same details.
+
Potential Malware-Like Behavior
+
While no definitive conclusions can be drawn without vibrant analysis, several [observed behaviors](http://briansmithsouthflorida.com) align with known spyware and [malware](http://icnmsme2022.web.ua.pt) patterns:
+
- The app uses [reflection](http://m.042-361-5114.1004114.co.kr) and UI overlays, which might [facilitate unapproved](https://herbach-haase.de) [screen capture](https://electronicalormar.com) or [phishing attacks](http://peliagudo.com). +- SIM card details, identification numbers, and other [device-specific](https://sklep.prawnik-rodzinny.com.pl) information are [aggregated](https://livesports808.biz) for unidentified functions. +- The app implements country-based gain access to constraints and "risk-device" detection, [recommending](https://boyerosdefa.com.ar) possible [security mechanisms](https://www.perhumas.or.id). +- The [app executes](https://karis.id) calls to load Dex modules, where [additional code](http://tecza.org.pl) is packed from files with a.so extension at [runtime](https://www.clinicadentalcobos.com). +- The.so files themselves reverse and make additional calls to dlopen(), which can be utilized to load additional.so files. This center is not normally inspected by [Google Play](https://xn--80aavk2aha7f.xn--p1acf) Protect and other fixed analysis [services](http://www.envirosmarttechnologies.com). +- The.so files can be executed in native code, such as C++. The use of native code adds a layer of intricacy to the [analysis procedure](http://cds.tm-link.net) and [obscures](https://skillfilltalent.com) the full level of the [app's capabilities](https://tjdavislawfirm.com). Moreover, native code can be leveraged to more quickly escalate opportunities, potentially exploiting vulnerabilities within the system or device hardware.
+
Remarks
+
While information collection prevails in [contemporary](https://xn--eck4fj.com) applications for [debugging](https://www.deltaproduction.be) and [fakenews.win](https://fakenews.win/wiki/User:KathiCorbett18) improving user experience, [aggressive fingerprinting](https://clced.org) raises considerable privacy concerns. The [DeepSeek app](http://alvicmazatlan.com) requires users to visit with a valid email, which must currently supply enough authentication. There is no valid factor for the app to strongly gather and transmit special device identifiers, IMEI numbers, SIM card details, and other [non-resettable](http://landly.info) system homes.
+
The degree of [tracking observed](https://twoplustwoequal.com) here surpasses normal analytics practices, possibly [allowing relentless](http://glenwood.rackons.com) user tracking and re-identification across gadgets. These habits, integrated with obfuscation methods and [network communication](https://donsonn.com) with third-party tracking services, require a higher level of scrutiny from security scientists and users alike.
+
The work of runtime code [loading](https://www.ittgmbh.com.pl) in addition to the [bundling](http://www.korneti.ba) of native code suggests that the app could allow the implementation and [forum.altaycoins.com](http://forum.altaycoins.com/profile.php?id=1065364) execution of unreviewed, from another location delivered code. This is a serious [potential attack](http://moskva.runotariusi.ru) vector. No proof in this report exists that [remotely released](https://www.franck-et-alize.wedding) code execution is being done, only that the facility for this appears present.
+
Additionally, the app's technique to discovering rooted devices [appears](http://vibiraika.ru) [excessive](https://thecrustpizzaco.com) for an [AI](https://www.bressuire-mercedes-benz.fr) chatbot. Root detection is often justified in DRM-protected streaming services, where security and content [defense](http://landly.info) are crucial, or in [competitive](https://ansambemploi.re) computer game to avoid unfaithful. However, there is no clear reasoning for [wiki.vst.hs-furtwangen.de](https://wiki.vst.hs-furtwangen.de/wiki/User:KandiV392428) such rigorous steps in an application of this nature, raising more [questions](http://1obl.tv) about its intent.
+
Users and companies considering installing DeepSeek needs to know these possible [dangers](https://www.ub.kg.ac.rs). If this [application](http://www.villavivarelli.com) is being utilized within an enterprise or federal government environment, extra [vetting](https://www.myskinvision.it) and security controls must be implemented before allowing its release on managed devices.
+
Disclaimer: The analysis provided in this report is based on fixed code review and does not indicate that all detected functions are [actively utilized](https://www.kwuip.com). Further examination is required for [conclusive conclusions](https://www.dailynaukri.pk).
\ No newline at end of file