Android Mental Health Apps With Nearly 15 Million Downloads Found Vulnerable to Data Security Risks
Several popular mental health applications on the Google Play Store, collectively downloaded nearly 15 million times, may be exposing users’ sensitive personal data due to multiple security vulnerabilities, according to new research by Oversecured.
The security analysis identified a total of 1,575 vulnerabilities across 10 mental health apps, including AI-powered therapy chatbots, raising concerns about the safety of private therapy conversations, mood logs, and medical information.
Hundreds of Security Flaws Detected
Researchers classified the vulnerabilities into different severity levels, including 54 high-risk, 538 medium-risk, and 983 low-risk issues. While not all were critical, experts warned that many flaws could allow attackers to intercept login credentials, manipulate app functions, inject malicious content, or track users.
In one instance, more than 85 medium- and high-severity vulnerabilities were discovered in a single application.
Sergey Toshin, founder of Oversecured, warned that mental health data is particularly valuable to cybercriminals. “Mental health data carries unique risks. On the dark web, therapy records sell for $1,000 or more per record, far more than credit card numbers,” he said.
Sensitive Personal Data at Risk
The affected apps collect highly sensitive information, including therapy session transcripts, personal journals, mood tracking logs, medication schedules, and mental health indicators. Researchers noted that some of this information could fall under strict medical privacy protections.
Security flaws were found in the way certain apps handled external commands and links, potentially allowing hackers to bypass security safeguards and access protected sections containing authentication tokens and user session data.
In one case, a therapy app with over one million downloads could be manipulated to open internal app components without proper verification, creating a pathway for attackers to access confidential therapy records.
Poor Storage and Weak Security Protections
The study also found that some apps stored sensitive data locally without adequate protection, making it accessible to other apps installed on the same device. This could expose therapy notes, mood scores, and personal journal entries.
Additional risks included unprotected backend server configurations, weak encryption key generation methods, and the absence of root detection safeguards, increasing the likelihood of unauthorized access on compromised devices.
Lack of Updates Raises Further Concerns
Researchers also highlighted that many of the vulnerable apps had not received recent security updates. Only four of the 10 apps were updated recently, while others had not been updated since 2024 or late 2025.
The security scans were conducted in January 2026, and it remains unclear whether the identified vulnerabilities have since been addressed.
The findings highlight growing concerns over data privacy and security in digital mental health platforms, especially as millions of users rely on such apps for confidential and sensitive support.
