Millions seeking support may have been left exposed.Popular Android mental health apps with more than 14.7 million combined installs contain 1,575 security vulnerabilities, including dozens rated high severity.The findings suggest that users turning to these platforms for privacy and discretion may instead be relying on software riddled with exploitable weaknesses.
First reported by BleepingComputer, the findings stem from research by mobile security firm Oversecured, which identified flaws that could enable credential interception, data leakage, and unauthorized access within therapy and AI-based mental health tools.Advertisement TechRepublic is able to offer our services for free because some vendors may pay us for web traffic or other sales opportunities.Our mission is to help technology buyers make better purchasing decisions, so we provide you with information for all vendors — even those that don’t pay us.
1 ESET PROTECT Advanced Visit Website Company Size Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Any Company Size Any Company Size Features Activity Monitoring, Antivirus, Blacklisting, and more 2 ManageEngine Desktop Central Visit Website Company Size Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Any Company Size Any Company Size Features Activity Monitoring, Antivirus, Dashboard, and more How the apps were tested, and what exactly was examined Oversecured analyzed the Android application packages (APKs) of 10 widely downloaded mental health apps using its automated vulnerability scanner, reviewing the latest versions available on Google Play at the time of testing.The scans, conducted between January 22 and 23, 2026, looked for known insecure coding patterns, unsafe data handling, misconfigurations, and other weaknesses across dozens of vulnerability categories.The apps reviewed spanned a broad cross-section of digital mental health services: Mood and habit tracker: 10M+ installs AI therapy chatbot: 1M+ installs AI emotional health platform: 1M+ installs Online therapy and support community: 1M+ installs Health and symptom tracker: 500K+ installs CBT-based anxiety app: 500K+ installs AI CBT chatbot: 500K+ installs Depression management tool: 100K+ installs Anxiety and phobia self-help app: 50K+ installs Military stress management app: 50K+ installs According to the researchers, the review focused on identifying weaknesses that could affect authentication flows, local storage protections, inter-app communication, and backend connectivity — areas critical to safeguarding sensitive user information.
The price of a private struggle The data stored inside these apps goes well beyond casual journaling.Researchers found that several platforms handle therapy session transcripts, CBT exercises, mood tracking histories, medication reminders, self-harm indicators, and progress scores tied to a user’s mental health journey.In some cases, the information mirrors what would typically be found in a clinician’s file.
These include structured notes, symptom patterns, and treatment-related details that may qualify as protected health information under HIPAA, depending on how the service is delivered.That sensitivity is exactly what makes it valuable.Oversecured founder Sergey Toshin said, “Mental health data carries unique risks.
On the dark web, therapy records sell for $1,000 or more per record,” a price that far exceeds typical financial data.Must-read security coverage UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case Blackpoint Cyber vs.Arctic Wolf: Which MDR Solution is Right for You? How GitHub Is Securing the Software Supply Chain 8 Best Enterprise Password Managers Small coding shortcuts, big security gaps Several of the weaknesses stem from how the apps handle internal app communication.
In at least one case, researchers found that user-supplied data could be parsed into system instructions and executed without proper validation of the destination, potentially allowing an attacker to access internal components not intended for public interaction, including those tied to authentication and session handling.Other issues were more structural.Some apps stored sensitive information locally in ways that could allow other apps on the same device to read it.
Researchers also identified plaintext configuration files, exposed backend API endpoints, and even hardcoded Firebase database URLs embedded directly in the app package.In multiple cases, session tokens or encryption-related values were generated using the cryptographically insecure java.util.Random class.And most apps lacked root-detection safeguards, meaning that on a rooted device, a malicious app with elevated privileges could access locally stored health data without resistance.
Names withheld as fixes move forward The identities of the affected apps have not been made public while the disclosure process continues.Oversecured said it is notifying vendors and sharing technical details privately to allow time for remediation before releasing full details.Of the apps reviewed, only four had been updated as recently as this month, while others had not received updates since late 2025 or, in some cases, September 2024.
Researchers said they cannot confirm whether the vulnerabilities identified have since been patched, leaving open questions about how quickly fixes are being deployed to millions of existing installs.Supply chain risk is back in focus after 38 million customer records were exposed in a vendor breach.Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered every Monday, Tuesday and Thursday Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday
Read More
