A number of psychological well being cell apps with hundreds of thousands of downloads on Google Play comprise safety vulnerabilities that would expose customers’ delicate medical data.
In one of many apps, safety researchers found greater than 85 medium- and high-severity vulnerabilities that could possibly be exploited to compromise customers’ remedy knowledge and privateness.
A number of the merchandise are AI companions designed to assist individuals affected by scientific despair, a number of types of anxiousness, panic assaults, stress, and bipolar dysfunction.
At the least six of the ten analyzed apps state that consumer conversations or chats stay personal, or are encrypted securely on the seller’s servers.
“Psychological well being knowledge carries distinctive dangers. On the darkish internet, remedy information promote for $1,000 or extra per file, excess of bank card numbers,” says Sergey Toshin, founding father of cell safety firm Oversecured.
Over 1,500 safety points discovered
Oversecured scanned ten cell apps marketed as instruments that may assist with numerous psychological well being issues, and uncovered a complete of 1,575 safety vulnerabilities (54 rated high-severity, 538 medium-severity, and 983 low-severity).
| App Sort | Installs | Excessive | Medium | Low | Whole | Scan date | |
| 01 | Temper & behavior tracker | 10M+ | 1 | 147 | 189 | 337 | 01/23/2026 |
| 02 | AI remedy chatbot | 1M+ | 23 | 63 | 169 | 255 | 01/22/2026 |
| 03 | AI emotional well being platform | 1M+ | 13 | 124 | 78 | 215 | 01/23/2026 |
| 04 | Well being & symptom tracker | 500k+ | 7 | 31 | 173 | 211 | 01/22/2026 |
| 05 | Melancholy administration instrument | 100k+ | – | 66 | 91 | 157 | 01/23/2026 |
| 06 | CBT-based anxiousness app | 500k+ | 3 | 45 | 62 | 110 | 01/22/2026 |
| 07 | On-line remedy & help neighborhood | 1M+ | 7 | 20 | 71 | 98 | 01/23/2026 |
| 08 | Nervousness & phobia self-help | 50k+ | – | 15 | 54 | 69 | 01/22/2026 |
| 09 | Navy stress administration | 50k+ | – | 12 | 50 | 62 | 01/22/2026 |
| 10 | AI CBT chatbot | 500k+ | – | 15 | 46 | 61 | 01/23/2026 |
Though not one of the found points are important, many will be leveraged to intercept login credentials, spoof notifications, HTML injection, or to find the consumer.
The researchers used the Oversecured scanner to test the APK information of the ten psychological well being functions for recognized vulnerability patterns in dozens of classes.
In a report shared with BleepingComputer, the researchers say that among the verified apps “parse user-supplied URIs with out ample validation.”
One remedy app with multiple million downloads makes use of Intent.parseUri() on an externally managed string and launches the ensuing messaging object (intent) with out validating the goal element.
This enables an attacker to power the app to open any inner exercise, even when it isn’t supposed for exterior entry.
“Since these inner actions usually deal with authentication tokens and session knowledge, exploitation may give an attacker entry to a consumer’s remedy information,” Oversecured explains.
One other concern is storing knowledge regionally in a manner that offers learn entry to any app on the gadget. Relying on the saved data, this might expose remedy particulars, comparable to remedy entries, Cognitive Behavioral Remedy (CBT) session notes, and numerous scores.
Oversecured states that additionally they found plaintext configuration knowledge, together with backend API endpoints and a hardcoded Firebase database URL, throughout the APK sources.
Moreover, among the weak apps use the cryptographically insecure java.util.Random class for producing session tokens or encryption keys.
In accordance with the researchers, “a lot of the 10 apps lack any type of root detection.” On a rooted (jailbroken) gadget, any app with root privileges has entry to all well being knowledge saved regionally.
Oversecured says that six of the ten analyzed apps “had zero high-severity findings, however nonetheless carried medium-severity points that weaken their general safety posture.”
“These apps accumulate and retailer among the most delicate private knowledge in cell: remedy session transcripts, temper logs, medicine schedules, self-harm indicators, and in some instances, data protected underneath HIPAA,” the researchers word.
From BleepingComputer’s observations the collective obtain depend for the apps scanned by Oversecured is greater than 14.7 million, and solely 4 obtained an replace as just lately as this month. For the remainder, the date of the most recent replace was as current as November 2025 and even September 2024.
Oversecured’s scans occurred between January 22 and 23 and focused the most recent app variations out there on the time. The researchers can’t verify if any of the uncovered vulnerabilities have been addressed.
BleepingComputer has shunned the sharing the names of the impacted apps because the vulnerabilities are nonetheless being disclosed by Oversecured.
Fashionable IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, find out how your group can scale back hidden handbook delays, enhance reliability by means of automated response, and construct and scale clever workflows on high of instruments you already use.
