A number of psychological well being cellular apps with tens of millions of downloads on Google Play include security vulnerabilities that might expose customers’ delicate medical info.
In one of many apps, security researchers found greater than 85 medium- and high-severity vulnerabilities that could possibly be exploited to compromise customers’ remedy information and privateness.
A few of the merchandise are AI companions designed to assist folks affected by medical melancholy, a number of types of anxiousness, panic assaults, stress, and bipolar dysfunction.
Not less than six of the ten analyzed apps state that person conversations or chats stay non-public, or are encrypted securely on the seller’s servers.
“Psychological well being information carries distinctive dangers. On the darkish net, remedy data promote for $1,000 or extra per file, excess of bank card numbers,” says Sergey Toshin, founding father of cellular security firm Oversecured.
Over 1,500 security points discovered
Oversecured scanned ten cellular apps marketed as instruments that may assist with varied psychological well being issues, and uncovered a complete of 1,575 security vulnerabilities (54 rated high-severity, 538 medium-severity, and 983 low-severity).
| App Sort | Installs | Excessive | Medium | Low | Whole | Scan date | |
| 01 | Temper & behavior tracker | 10M+ | 1 | 147 | 189 | 337 | 01/23/2026 |
| 02 | AI remedy chatbot | 1M+ | 23 | 63 | 169 | 255 | 01/22/2026 |
| 03 | AI emotional well being platform | 1M+ | 13 | 124 | 78 | 215 | 01/23/2026 |
| 04 | Well being & symptom tracker | 500k+ | 7 | 31 | 173 | 211 | 01/22/2026 |
| 05 | Melancholy administration device | 100k+ | – | 66 | 91 | 157 | 01/23/2026 |
| 06 | CBT-based anxiousness app | 500k+ | 3 | 45 | 62 | 110 | 01/22/2026 |
| 07 | On-line remedy & assist group | 1M+ | 7 | 20 | 71 | 98 | 01/23/2026 |
| 08 | Nervousness & phobia self-help | 50k+ | – | 15 | 54 | 69 | 01/22/2026 |
| 09 | Army stress administration | 50k+ | – | 12 | 50 | 62 | 01/22/2026 |
| 10 | AI CBT chatbot | 500k+ | – | 15 | 46 | 61 | 01/23/2026 |
Though not one of the found points are vital, many may be leveraged to intercept login credentials, spoof notifications, HTML injection, or to find the person.
The researchers used the Oversecured scanner to verify the APK information of the ten psychological well being purposes for recognized vulnerability patterns in dozens of classes.
In a report shared with BleepingComputer, the researchers say that a few of the verified apps “parse user-supplied URIs with out ample validation.”
One remedy app with multiple million downloads makes use of Intent.parseUri() on an externally managed string and launches the ensuing messaging object (intent) with out validating the goal element.
This permits an attacker to drive the app to open any inner exercise, even when it isn’t meant for exterior entry.
“Since these inner actions typically deal with authentication tokens and session information, exploitation may give an attacker entry to a person’s remedy data,” Oversecured explains.
One other concern is storing information regionally in a approach that provides learn entry to any app on the gadget. Relying on the saved info, this might expose remedy particulars, akin to remedy entries, Cognitive Behavioral Remedy (CBT) session notes, and varied scores.
Oversecured states that in addition they found plaintext configuration information, together with backend API endpoints and a hardcoded Firebase database URL, inside the APK assets.
Moreover, a few of the susceptible apps use the cryptographically insecure java.util.Random class for producing session tokens or encryption keys.
Based on the researchers, “a lot of the 10 apps lack any type of root detection.” On a rooted (jailbroken) gadget, any app with root privileges has entry to all well being information saved regionally.
Oversecured says that six of the ten analyzed apps “had zero high-severity findings, however nonetheless carried medium-severity points that weaken their total security posture.”
“These apps accumulate and retailer a few of the most delicate private information in cellular: remedy session transcripts, temper logs, remedy schedules, self-harm indicators, and in some circumstances, info protected underneath HIPAA,” the researchers observe.
From BleepingComputer’s observations the collective obtain rely for the apps scanned by Oversecured is greater than 14.7 million, and solely 4 obtained an replace as not too long ago as this month. For the remainder, the date of the most recent replace was as current as November 2025 and even September 2024.
Oversecured’s scans occurred between January 22 and 23 and focused the most recent app variations obtainable on the time. The researchers can’t affirm if any of the uncovered vulnerabilities have been addressed.
BleepingComputer has shunned the sharing the names of the impacted apps because the vulnerabilities are nonetheless being disclosed by Oversecured.
Trendy IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, learn the way your group can cut back hidden handbook delays, enhance reliability by way of automated response, and construct and scale clever workflows on prime of instruments you already use.
