Hundreds of thousands looking for assist could have been left uncovered.
Standard Android psychological well being apps with greater than 14.7 million mixed installs comprise 1,575 safety vulnerabilities, together with dozens rated excessive severity. The findings recommend that customers turning to those platforms for privateness and discretion could as an alternative be counting on software program riddled with exploitable weaknesses.
First reported by BleepingComputer, the findings stem from analysis by cell safety agency Oversecured, which recognized flaws that would allow credential interception, knowledge leakage, and unauthorized entry inside remedy and AI-based psychological well being instruments.
How the apps had been examined, and what precisely was examined
Oversecured analyzed the Android software packages (APKs) of 10 broadly downloaded psychological well being apps utilizing its automated vulnerability scanner, reviewing the newest variations obtainable on Google Play on the time of testing.
The scans, performed between January 22 and 23, 2026, regarded for identified insecure coding patterns, unsafe knowledge dealing with, misconfigurations, and different weaknesses throughout dozens of vulnerability classes.
The apps reviewed spanned a broad cross-section of digital psychological well being companies:
- Temper and behavior tracker: 10M+ installs
- AI remedy chatbot: 1M+ installs
- AI emotional well being platform: 1M+ installs
- On-line remedy and assist neighborhood: 1M+ installs
- Well being and symptom tracker: 500K+ installs
- CBT-based anxiousness app: 500K+ installs
- AI CBT chatbot: 500K+ installs
- Melancholy administration device: 100K+ installs
- Anxiousness and phobia self-help app: 50K+ installs
- Navy stress administration app: 50K+ installs
In keeping with the researchers, the overview centered on figuring out weaknesses that would have an effect on authentication flows, native storage protections, inter-app communication, and backend connectivity — areas crucial to safeguarding delicate person info.
The value of a non-public wrestle
The information saved inside these apps goes properly past informal journaling. Researchers discovered that a number of platforms deal with remedy session transcripts, CBT workouts, temper monitoring histories, remedy reminders, self-harm indicators, and progress scores tied to a person’s psychological well being journey.
In some circumstances, the knowledge mirrors what would sometimes be present in a clinician’s file. These embody structured notes, symptom patterns, and treatment-related particulars that will qualify as protected well being info below HIPAA, relying on how the service is delivered.
That sensitivity is strictly what makes it invaluable. Oversecured founder Sergey Toshin stated, “Psychological well being knowledge carries distinctive dangers. On the darkish internet, remedy information promote for $1,000 or extra per report,” a value that far exceeds typical monetary knowledge.
Small coding shortcuts, huge safety gaps
A number of of the weaknesses stem from how the apps deal with inside app communication.
In at the very least one case, researchers discovered that user-supplied knowledge might be parsed into system directions and executed with out correct validation of the vacation spot, probably permitting an attacker to entry inside parts not meant for public interplay, together with these tied to authentication and session dealing with.
Different points had been extra structural. Some apps saved delicate info regionally in ways in which might permit different apps on the identical machine to learn it. Researchers additionally recognized plaintext configuration recordsdata, uncovered backend API endpoints, and even hardcoded Firebase database URLs embedded instantly within the app package deal.
In a number of circumstances, session tokens or encryption-related values had been generated utilizing the cryptographically insecure java.util.Random class. And most apps lacked root-detection safeguards, that means that on a rooted machine, a malicious app with elevated privileges might entry regionally saved well being knowledge with out resistance.
Names withheld as fixes transfer ahead
The identities of the affected apps haven’t been made public whereas the disclosure course of continues. Oversecured stated it’s notifying distributors and sharing technical particulars privately to permit time for remediation earlier than releasing full particulars.
Of the apps reviewed, solely 4 had been up to date as not too long ago as this month, whereas others had not acquired updates since late 2025 or, in some circumstances, September 2024.
Researchers stated they can not affirm whether or not the vulnerabilities recognized have since been patched, leaving open questions on how shortly fixes are being deployed to hundreds of thousands of current installs.
Provide chain danger is again in focus after 38 million buyer information had been uncovered in a vendor breach.
