A blackbox privacy audit of the Bitbaan Anti-Malware Android application (v3.2.3) has uncovered privacy violations that are alarming in any context but take on a distinct gravity when considered within Iran's surveillance landscape. Conducted over a limited three-day timeframe in June and July 2025 through reverse engineering of APKs sourced from Myket and CafeBazaar, the audit identified hidden camera capture functionality, weak cryptographic protections in the built-in password manager, local network device scanning, and extensive telemetry transmission to third-party analytics infrastructure. No backdoors, remote code execution vulnerabilities, or root exploits were found. But the nature of what was found — covert image capture, network enumeration, and device fingerprinting — maps uncomfortably well onto the capabilities that surveillance tools are designed to provide, even if the intent behind Bitbaan's implementation may be entirely different.

Bitbaan markets itself as a comprehensive mobile security suite for Iranian users, offering malware scanning, a password manager, and device protection features. Users who install a security application do so with an elevated level of trust — they are granting permissions and access precisely because they believe the application will protect rather than expose them. This trust relationship makes the findings of this audit particularly consequential. In a jurisdiction where the state has documented capabilities to compel data from domestic technology companies, where security tools can be weaponized or co-opted, and where no independent authority exists to audit or restrain such practices, the gap between a security app and a surveillance vector narrows considerably when the app's own security practices are this inadequate.

Covert Camera Capture: The Nosy Detector

The most alarming finding is a hidden feature internally designated as the "Nosy Detector," which silently activates the front-facing camera to capture photographs whenever an incorrect password is entered on the application's lock screen. This occurs without displaying a preview, without notifying the user, and without providing any mechanism to disable the behavior. The captured images are stored locally on the device. The feature's ostensible purpose — catching unauthorized access attempts — does not change the technical reality of what it does: it performs covert biometric capture of anyone who handles the device, without consent, disclosure, or opt-out.

In Iran, where facial recognition capabilities have been deployed for purposes including hijab enforcement and protest identification, the silent capture and local storage of facial images by a widely installed security application raises questions that transcend the developer's stated intent. The images exist on the device. They are accessible to any application or process with storage permissions. They are available to anyone with physical access to the device — including during the confiscation scenarios that Iranian security forces have documented in the context of arrests and interrogations. Whether or not Bitbaan's developers intended this feature as a security measure, its practical effect is the creation of a locally stored biometric record that exists within reach of the state's established device inspection practices.

Weak Cryptography in a Password Manager Users Trust

Bitbaan includes a built-in password manager that employs AES encryption in CBC mode with PKCS5/PKCS7 padding without integrity or authenticity verification, exposing it to padding oracle attacks and ciphertext manipulation. The key derivation function uses PBKDF2WithHmacSHA1 with only 1,000 iterations — far below the minimum of 600,000 recommended by OWASP. Frida instrumentation confirmed active runtime use of AES/CBC/PKCS7Padding with no authenticated encryption modes observed.

For a password manager operating within Iranian jurisdiction, the consequences of weak cryptography extend beyond abstract vulnerability. Users in Iran who face elevated personal risk — activists, journalists, lawyers, members of ethnic and religious minorities — may use a password manager precisely to protect access to sensitive accounts, communications, and organizational resources. A password database protected by 1,000 PBKDF2 iterations is vulnerable to brute-force attack within practical timeframes by any actor with moderate computational resources. For a state actor with dedicated infrastructure, this level of protection is effectively nominal. Users who trusted Bitbaan to secure their most sensitive credentials have instead placed those credentials behind a lock that a sufficiently motivated adversary can break.

Network Scanning, Location Tracking, and Device Fingerprinting

The application requests GPS and network location permissions for a purpose that is strikingly disproportionate: computing sunrise and sunset times to toggle between light and dark mode, rather than relying on standard system theme settings. This use of precise geolocation for a cosmetic UI feature is difficult to justify technically, and in Iran's context raises immediate questions about whether location data is being collected under the pretext of functionality that could be achieved through far less invasive means.

Beyond location, the application collects extensive device fingerprinting data — hardware model, manufacturer, OS version, mobile carrier codes, timezone, and language — which, alongside GPS advertising IDs and Android UUIDs, is transmitted to Adtrace analytics servers across endpoints in the EU, US, India, China, and Turkey. Adtrace, an Iranian-origin analytics platform, operates under the same jurisdictional pressures as other domestic technology companies. The data it receives from Bitbaan users constitutes a detailed profile of device identity and behavior that exists within a compelled-access environment.

Perhaps most concerning is the application's local network surveillance capability. Bitbaan scans for nearby Wi-Fi devices and stores information about them in a local database, including IP addresses, MAC addresses, and vendor names. For an anti-malware application, network enumeration at this level has no clear justification within its stated security function. What it does provide is a map of the user's local network environment — the devices around them, the infrastructure they connect to — stored locally and accessible to any process or actor with access to the device's storage. In the context of Iran's established practices of device confiscation and inspection, this local network map becomes a record of the user's digital environment that was never intended to leave their phone but is now available to whoever holds it.

Recommendations for Users

Users who choose to continue using Bitbaan should immediately revoke camera, location, SMS, storage, and nearby device permissions through device settings. Revoking camera access is critical to prevent the covert Nosy Detector captures. Location permission should be denied entirely, as the application falls back to a hardcoded time range for theme switching. The password manager should not be relied upon for storing sensitive credentials given its weak cryptographic implementation. Users should understand that the cumulative capabilities present in this application — facial image capture, network device mapping, precise location tracking, and weak credential encryption — constitute an exposure surface that is uniquely dangerous in Iran's jurisdiction. The developers have been contacted through responsible disclosure with prioritized remediation recommendations, beginning with immediate user notification and opt-in consent for the camera feature, followed by cryptographic upgrades and data minimization across all tracking and telemetry functions.

Bitbaan Anti-Malware presents the sharpest illustration of a problem that runs through Iran's domestic app ecosystem: applications that position themselves as protectors of user security while simultaneously creating the very exposure surfaces that make users vulnerable. Whether through negligence or design, the result is the same. Users who installed Bitbaan seeking protection have instead equipped their devices with capabilities — covert imaging, network mapping, weak-encrypted credential storage, and persistent device tracking — that in aggregate describe not a security tool, but a liability.