Security Flaws Found in Popular Android Mental Health Apps With Over 14.7 Million Downloads

A group of widely-used Android mental health applications downloaded more than 14.7 million times from the Google Play Store has been found to contain numerous security vulnerabilities that could put users’ highly sensitive health data at risk.

Security researchers at mobile protection firm Oversecured analyzed ten mental health apps designed to support users with conditions such as anxiety, depression, bipolar disorder, and other psychological challenges. In total, the team discovered 1,575 security issues, including 54 rated high-severity and 538 medium-severity vulnerabilities.

“Mental health data carries unique risks. On the dark web, therapy records sell for $1,000 or more per record, far more than credit card numbers,” said Oversecured founder Sergey Toshin, highlighting the value of private mental health information to cybercriminals.

What the Flaws Could Mean for Users

Experts warn that many of these flaws — while not all critical — could be exploited to:

Intercept login credentials and session tokens
Access confidential therapy notes, mood logs, and personal responses
Spoof app notifications or redirect sensitive data to unauthorized components
Expose sensitive app data stored locally to other apps on a user’s device

One particularly concerning vulnerability involved how certain apps process user-supplied data. In some cases, attackers could manipulate internal functions to gain access to secure areas that handle authentication — potentially exposing user records.

Other issues included insecure storage of configuration details such as backend API endpoints, use of weak random-number generators for session tokens, and failure to detect rooted devices, which makes it easier for malicious apps to access local data.

Developers and Users Urged to Act

The affected apps amassed millions of installs but only four had been updated recently — suggesting that many remain unpatched against the newly uncovered vulnerabilities. Researchers noted they could not confirm whether developers have fixed any of the issues.

Cybersecurity experts recommend that developers strengthen security practices, especially for applications handling protected health information (PHI), and that users carefully consider privacy risks when choosing mental health tools.

As the use of AI-based therapy companions and self-help trackers grows, so does the importance of robust data protection to safeguard deeply personal information.