Security Audit Reveals Critical Vulnerabilities in Android Mental Health Apps Used by 14.7M Users

Several popular Android mental-health apps with more than 14.7 million combined installs have been found to contain serious security flaws. These apps are widely used for mood tracking, therapy chats, and emotional support. Many users trust them with highly personal information. However, recent research shows that this data may not be as secure as people believe.

The findings were published by the mobile security company Oversecured after scanning ten Android mental-health applications. The security review was conducted in January 2026 using automated vulnerability detection tools. During the analysis, researchers identified a total of 1,575 security issues. These vulnerabilities were found in the latest available versions of the apps at that time.

Out of the 1,575 issues discovered, 54 were classified as high-severity vulnerabilities. In addition, 538 were marked as medium-severity and 983 as low-severity problems. High-severity flaws can potentially allow attackers to access sensitive information directly. Even medium-severity issues can become dangerous if combined with other weaknesses.

The apps tested included AI therapy chatbots, mood trackers, CBT tools, and emotional wellness platforms. One app with more than one million installs alone had over 85 combined high and medium-severity vulnerabilities. The total install count of all ten tested apps exceeded 14.7 million downloads. This means millions of users could potentially be exposed to privacy risks.

Researchers found problems related to improper handling of Android components and unsafe data storage practices. Some apps processed external input without properly validating it first. In certain cases, attackers could exploit these weaknesses to access internal app functions. Such flaws may allow unauthorized access to therapy sessions or stored personal records.

Other issues included exposure of sensitive information in local files and weak random key generation methods. Some apps did not properly detect if a device was rooted, which increases exploitation risk. Researchers also found hardcoded backend URLs inside application code. These weaknesses can make it easier for attackers to analyze and target the apps.

Mental-health data is considered extremely sensitive because it may include therapy conversations, mood logs, medication schedules, and personal reflections. Security experts note that such records are highly valuable on underground marketplaces. In some cases, mental-health records can be worth more than financial information like credit card numbers. This increases the motivation for cybercriminals to target such platforms.

At the time of reporting, it was unclear whether all affected apps had fully fixed the identified vulnerabilities. Oversecured did not release detailed technical exploit information while remediation efforts were ongoing. Only a limited number of updates addressing security issues were visible in app stores. The findings highlight the importance of stronger security practices in apps that handle sensitive health information.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news