I carried out a fixed analysis of DeepSeek, a Chinese LLM chatbot, wiki.tld-wars.space using version 1.8.0 from the Google Play Store. The goal was to recognize potential security and privacy issues.
I have actually written about DeepSeek previously here.
Additional security and privacy concerns about DeepSeek have actually been raised.
See also this analysis by NowSecure of the iPhone variation of DeepSeek
The findings detailed in this report are based purely on fixed analysis. This implies that while the code exists within the app, there is no definitive proof that all of it is executed in practice. Nonetheless, the presence of such code warrants analysis, specifically offered the growing concerns around data privacy, security, the possible misuse of AI-driven applications, and cyber-espionage dynamics between global powers.
Key Findings
Suspicious Data Handling & Exfiltration
- Hardcoded URLs direct information to external servers, raising issues about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure identifies these in the iPhone app yesterday too.
- Bespoke file encryption and information obfuscation techniques exist, with signs that they could be utilized to exfiltrate user details.
- The app contains hard-coded public keys, rather than relying on the user device's chain of trust.
- UI interaction tracking catches detailed user habits without clear permission.
- WebView control exists, which could permit the app to gain access to personal external web browser information when links are opened. More details about WebView controls is here
Device Fingerprinting & Tracking
A considerable part of the analyzed code appears to focus on event device-specific details, which can be used for tracking and fingerprinting.
- The app collects numerous unique gadget identifiers, including UDID, Android ID, IMEI, IMSI, and provider details. - System properties, installed bundles, and root detection mechanisms recommend possible anti-tampering measures. E.g. probes for the presence of Magisk, a tool that personal privacy supporters and security scientists utilize to root their Android gadgets.
- Geolocation and network profiling are present, showing prospective tracking capabilities and making it possible for or disabling of fingerprinting routines by area.
- Hardcoded gadget design lists suggest the application might act in a different way depending upon the spotted hardware.
- Multiple vendor-specific services are used to draw out additional gadget details. E.g. if it can not identify the gadget through SIM lookup (due to the fact that approval was not approved), it attempts producer specific extensions to access the same details.
Potential Malware-Like Behavior
While no conclusive conclusions can be drawn without dynamic analysis, several observed behaviors line up with recognized spyware and malware patterns:
- The app utilizes reflection and [users.atw.hu](http://users.atw.hu/samp-info-forum/index.php?PHPSESSID=6716a514bc36d5c6c1471e121d04e5ae&action=profile