![\"Android](\"https:\/\/www.newsbeep.com\/ca\/wp-content\/uploads\/2026\/02\/mental-health.jpg\")
<\/p>\n<\/p>\n
Several mental health mobile apps with millions of downloads on Google Play contain security vulnerabilities that could expose users\u2019 sensitive medical information.<\/p>\n
In one of the apps, security researchers discovered more than 85 medium- and high-severity vulnerabilities that could be exploited to compromise users\u2019 therapy data and privacy.<\/p>\n
Some of the products are AI companions designed to help people suffering from clinical depression, multiple forms of anxiety, panic attacks, stress, and bipolar disorder.<\/p>\n
At least six of the ten analyzed apps state that user conversations or chats remain private, or are encrypted securely on the vendor\u2019s servers.<\/p>\n \u201cMental health data carries unique risks. On the dark web, therapy records sell for $1,000 or more per record, far more than credit card numbers,\u201d says Sergey Toshin, founder of mobile security company Oversecured.<\/p>\n Over 1,500 security issues found<\/p>\n Oversecured scanned ten mobile apps advertised as tools that can help with various mental health problems, and uncovered a total of 1,575 security vulnerabilities (54 rated high-severity, 538 medium-severity, and 983 low-severity).<\/p>\n \u00a0
Although none of the discovered issues are critical, many can be leveraged to intercept login credentials, spoof notifications, HTML injection, or to locate the user.<\/p>\n The researchers used the Oversecured scanner to check the APK files of the ten mental health applications for known vulnerability patterns in dozens of categories.<\/p>\n In a report shared with BleepingComputer, the researchers say that some of the verified apps \u201cparse user-supplied URIs without adequate validation.\u201d<\/p>\n One therapy app with more than one million downloads uses Intent.parseUri() on an externally controlled string and launches the resulting messaging object (intent) without validating the target component.<\/p>\n This allows an attacker to force the app to open any internal activity, even if it is not intended for external access.<\/p>\n \u201cSince these internal activities often handle authentication tokens and session data, exploitation could give an attacker access to a user\u2019s therapy records,\u201d Oversecured explains.<\/p>\n Another issue is storing data locally in a way that gives read access to any app on the device. Depending on the saved information, this could expose therapy details, such as therapy entries, Cognitive Behavioral Therapy (CBT) session notes, and various scores.<\/p>\n Oversecured states that they also discovered plaintext configuration data, including backend API endpoints and a hardcoded Firebase database URL, within the APK resources.<\/p>\n Furthermore, some of the vulnerable apps use the cryptographically insecure java.util.Random class for generating session tokens or encryption keys.<\/p>\n According to the researchers, \u201cmost of the 10 apps lack any form of root detection.\u201d On a rooted (jailbroken) device, any app with root privileges has access to all health data stored locally.<\/p>\n Oversecured says that six of the ten analyzed apps \u201chad zero high-severity findings, but still carried medium-severity issues that weaken their overall security posture.\u201d<\/p>\n \u201cThese apps collect and store some of the most sensitive personal data in mobile: therapy session transcripts, mood logs, medication schedules, self-harm indicators, and in some cases, information protected under HIPAA,\u201d the researchers note.<\/p>\n From BleepingComputer\u2019s observations the collective download count for the apps scanned by Oversecured is more than\u00a014.7 million, and only four received an update as recently as this month. For the rest, the date of the latest update was as recent as\u00a0November 2025 or even September 2024.<\/p>\n Oversecured\u2019s scans occurred between January 22 and 23 and targeted the latest app versions available at the time. The researchers cannot confirm if any of the uncovered vulnerabilities have been addressed.\u00a0<\/p>\n BleepingComputer has refrained from the sharing the names of the impacted apps as the vulnerabilities are still being disclosed by Oversecured.<\/p>\n![\"Wiz\"](\"https:\/\/www.newsbeep.com\/ca\/wp-content\/uploads\/2026\/02\/ai-security-board-report-template.jpg\")
<\/a><\/p>\n
\n\t\t\tApp Type
\n\t\t\tInstalls
\n\t\t\tHigh
\n\t\t\tMedium
\n\t\t\tLow
\n\t\t\tTotal
\n\t\t\tScan date
\n\t\t01
\n\t\t\tMood & habit tracker
\n\t\t\t10M+
\n\t\t\t1
\n\t\t\t147
\n\t\t\t189
\n\t\t\t337
\n\t\t\t01\/23\/2026
\n\t\t02
\n\t\t\tAI therapy chatbot
\n\t\t\t1M+
\n\t\t\t23
\n\t\t\t63
\n\t\t\t169
\n\t\t\t255
\n\t\t\t01\/22\/2026
\n\t\t03
\n\t\t\tAI emotional health platform
\n\t\t\t1M+
\n\t\t\t13
\n\t\t\t124
\n\t\t\t78
\n\t\t\t215
\n\t\t\t01\/23\/2026
\n\t\t04
\n\t\t\tHealth & symptom tracker
\n\t\t\t500k+
\n\t\t\t7
\n\t\t\t31
\n\t\t\t173
\n\t\t\t211
\n\t\t\t01\/22\/2026
\n\t\t05
\n\t\t\tDepression management tool
\n\t\t\t100k+
\n\t\t\t-
\n\t\t\t66
\n\t\t\t91
\n\t\t\t157
\n\t\t\t01\/23\/2026
\n\t\t06
\n\t\t\tCBT-based anxiety app
\n\t\t\t500k+
\n\t\t\t3
\n\t\t\t45
\n\t\t\t62
\n\t\t\t110
\n\t\t\t01\/22\/2026
\n\t\t07
\n\t\t\tOnline therapy & support community
\n\t\t\t1M+
\n\t\t\t7
\n\t\t\t20
\n\t\t\t71
\n\t\t\t98
\n\t\t\t01\/23\/2026
\n\t\t08
\n\t\t\tAnxiety & phobia self-help
\n\t\t\t50k+
\n\t\t\t-
\n\t\t\t15
\n\t\t\t54
\n\t\t\t69
\n\t\t\t01\/22\/2026
\n\t\t09
\n\t\t\tMilitary stress management
\n\t\t\t50k+
\n\t\t\t-
\n\t\t\t12
\n\t\t\t50
\n\t\t\t62
\n\t\t\t01\/22\/2026
\n\t\t10
\n\t\t\tAI CBT chatbot
\n\t\t\t500k+
\n\t\t\t-
\n\t\t\t15
\n\t\t\t46
\n\t\t\t61
\n\t\t\t01\/23\/2026
<\/p>\n
![\"tines\"\/](\"https:\/\/www.newsbeep.com\/ca\/wp-content\/uploads\/2026\/02\/tines-in-art-square.jpg\")