Is Your AI App Safe? Analyzing Deepseek's Security Vulnerabilities

Artificial Intelligence is reshaping how we interact with technology, from virtual assistants to advanced search engines. However, with great power comes great responsibility—particularly when it comes to security. These apps often handle sensitive data, making them prime targets for cyberattacks.

At Appknox, we're committed to ensuring that the latest AI applications are safe for users. We’re testing some of the newest AI tools, such as Claude, Perplexity, and Deepseek, and publishing our findings as part of an ongoing series.

Our first assessment focuses on the newest Android app, Deepseek. Launched with much anticipation, Deepseek promises advanced search capabilities powered by state-of-the-art AI algorithms. However, our security analysis revealed multiple critical vulnerabilities that could put users' personal data at significant risk. Here’s what we found and what you need to know to stay safe.

What’s happening?

If you have the Deepseek Android app installed on your phone, you might be putting your personal data at risk without even realizing it. Security researchers at Appknox recently analyzed the app and discovered multiple critical vulnerabilities that hackers could exploit. These flaws allow attackers to steal your private information, take control of your device, and even install malicious software—all without your knowledge.

What are the security issues?

Our security assessment uncovered six significant vulnerabilities in the Deepseek Android app, each posing considerable security risks to users. Here's a breakdown of each vulnerability, its attack type, risk level, real-world examples of breaches, and how you can protect yourself:

1. Unsecured network configuration

Attack type

Man-in-the-Middle (MitM) attack

Risk level

Critical.

Deepseek lacks proper network security measures, making it highly susceptible to MitM attacks. When users connect over public Wi-Fi or an untrusted network, attackers can intercept and manipulate data, potentially stealing login credentials, personal messages, and payment details.

In 2023, a MitM attack targeted a popular messaging app, exposing user conversations and financial transactions. In this case, users on public Wi-Fi were targeted, with attackers being able to intercept and manipulate data such as login credentials, emails, and personal information. Users had their private communications exposed, and the attackers could steal sensitive data through unencrypted traffic.

How could Deepseek fix it?

• Implement HTTPS with HSTS to ensure secure communication.
• SSL pinning can be used to prevent MitM attacks by validating server certificates.
• Regularly test network configurations using security tools like Burp Suite or OWASP ZAP.
  
  

2. No SSL validation or certificate pinning

Attack type

Impersonation attack

Risk level

Critical.

Deepseek fails to validate SSL certificates, making it vulnerable to fake websites or unauthorized access. Hackers can impersonate trusted servers and intercept sensitive information, such as login credentials and personal data.

In 2022, an attacker exploited a failure in SSL certificate validation to spoof a popular social app. Without proper certificate validation, the attacker intercepted secure traffic between the app and Twitter’s servers and impersonated the official service, capturing sensitive data such as login credentials and other private user information.

Due to a lack of secure communication validation, user data was compromised, leading to unauthorized access to accounts and potential data breaches.

How could Deepseek fix it?

• Implement SSL certificate pinning to verify server authenticity.
• Ensure strict SSL validation protocols in the app’s code.
• Perform regular penetration testing to detect and fix SSL-related vulnerabilities.
  
  

3. Weak root detection

Attack type

Privilege escalation

Risk level

High

Deepseek's ineffective root detection allows attackers with root access to bypass security controls and extract sensitive data. Rooted devices are particularly vulnerable to malware and advanced cyberattacks.

A 2021 incident saw XLoader, a malware that targets Android devices by exploiting weak root detection. The malware bypassed root checks and escalated privileges, allowing it to gain control of the device and perform malicious activities, such as stealing credentials and capturing sensitive data.

The malware infected thousands of devices, enabling unauthorized data exfiltration and device control.

How could Deepseek fix it?

• Strengthen root detection mechanisms with advanced security checks.
• Use device integrity checks to detect tampering or rooting.
  
• Integrate third-party root detection libraries like SafetyNet or RootBeer.
  
  

4. Susceptibility to the StrandHogg vulnerability

Attack type

Phishing and identity theft

Risk level

Critical

The StrandHogg vulnerability enables malicious apps to hijack legitimate app tasks, displaying fake login screens to steal user credentials.

The StrandHogg vulnerability was exploited to target financial apps. Malicious apps disguised as legitimate banking apps could display fake login screens, tricking users into entering their credentials. This vulnerability was notably used in 2020, targeting popular banking and social media apps. Multiple financial institutions and social media platforms were targeted, resulting in data breaches, identity theft, and unauthorized access to user accounts.

How could Deepseek fix it?

• Update the app to target newer Android versions with improved security patches.
• Implement strict task affinity settings to prevent task hijacking.
• Conduct thorough testing using security tools to detect potential hijacking threats.
  
  

5. Exposure to the Janus vulnerability

Attack type

APK modification and malware injection

Risk level

Critical

Janus allows attackers to modify an app’s APK file without breaking its digital signature, enabling malware injection.

In 2019, attackers exploited the Janus vulnerability to modify APK files in legitimate apps distributed via the Google Play Store. By bypassing the digital signature check, attackers injected malware into the apps, enabling spyware and other malicious software to be installed on users' devices without their knowledge. Several apps were compromised, leading to widespread malware infections, data theft, and spying. Users were unknowingly installing compromised versions of trusted apps.

How could Deepseek fix it?

• Ensure App Integrity Checks
• Use Google Play App Signing to protect your APKs from unauthorized modifications.
• Implement Android Application Signing (v2/v3) to prevent unauthorized app alterations.
• Use SafetyNet Attestation API to detect modified or tampered APKs at runtime.
  
  

6. Tapjacking attacks

Attack type

UI manipulation

Risk level

High

Tapjacking tricks users into granting dangerous permissions by overlaying invisible UI elements on legitimate buttons.

In 2022, a tapjacking attack targeting messaging apps was discovered. Attackers created invisible overlays on legitimate UI elements, tricking users into granting dangerous permissions like camera and microphone access or the ability to install malware.

The attack allowed unauthorized access to user data and allowed malware to exploit devices for malicious purposes. Users unknowingly granted dangerous permissions, which led to the installation of spyware and other malicious software.

How could Deepseek fix it?

• Implement secure UI design practices to prevent overlay attacks.
• Use Android’s FLAG_SECURE setting to block screen overlays.
• Conduct usability and security testing to detect malicious UI manipulation.
  
  

Why should you care?

These security vulnerabilities are not just technical issues—they can have real-life consequences for users:

🚨 Data theft

Your login credentials, financial data, and personal messages could be stolen.

🕵️ Spyware and surveillance

Malicious apps could replace Deepseek and operate in disguise, stealing sensitive data.

🎛️ Remote control

Attackers could gain remote access to your phone, spying on your activities and manipulating device functions.

💳 Financial fraud

A hacker could manipulate what you see and interact with, leading to unauthorized transactions or identity theft. If you're using the Deepseek Android app, your private information could be exposed to cybercriminals at any moment.

What should you do?

Until the developers fix these vulnerabilities, we strongly recommend taking the following steps:

🔍 Uninstall the Deepseek app immediately to avoid security risks.

✅ Use trusted applications from reputable developers and sources.

🔒 Keep your Android OS and apps updated to patch known security flaws.

🌐 Avoid using public Wi-Fi for sensitive transactions unless you're using a VPN.

🛡️ Enable Play Protect and use a trusted mobile security solution to scan for malware.

🚫 Be cautious of pop-ups and UI overlays that ask for unexpected permissions.

Appknox expert opinion

“Our findings in the Deepseek app underscore the critical need for rigorous security measures in AI-driven applications. Without proactive security assessments, user data remains vulnerable to sophisticated cyber threats.”

Subho Halder,
CEO, Appknox

Final thoughts

Mobile security is more important than ever. The vulnerabilities found in the Deepseek Android app highlight the importance of secure app development and rigorous testing. Developers must implement proper security controls, such as SSL pinning, root detection, and vulnerability patches, to ensure user safety.

Is your AI app secure?

Don’t wait until it’s too late. Schedule a free consultation with Appknox today to discover potential vulnerabilities in your application before cybercriminals do.

Schedule a demo

🔒 Stay safe. Stay secure.