Ethical Hacking News
Security flaws have been exposed in popular Android mental health apps with over 14.7 million downloads on Google Play. Researchers have identified critical vulnerabilities that could compromise user data security, highlighting the need for greater scrutiny and testing of these apps. Users are advised to exercise caution when using mental health tools and stay informed about the latest security updates and patches.
1,575 security issues were found in ten popular mental health apps. Over 54 high-severity vulnerabilities were discovered in these apps. Vulnerabilities could intercept login credentials, spoof notifications, and access sensitive user data. Mental health data carries unique risks, including selling for $1,000 or more on the dark web. Only four of the ten analyzed apps received an update in the last month. Collective download count exceeds 14.7 million, making these apps some of the most popular mental health tools available.
Android mental health apps, designed to aid individuals suffering from various psychological disorders, have been found to contain security vulnerabilities that can compromise users' sensitive medical information. A recent study conducted by mobile security company Oversecured has revealed a total of 1,575 security issues in ten popular mental health apps, with over 54 high-severity vulnerabilities discovered.
The apps analyzed by Oversecured were scanned for known vulnerability patterns using their scanner tool, which identified several critical weaknesses that could be exploited to intercept login credentials, spoof notifications, and access sensitive user data. Among the most concerning findings was the presence of plaintext configuration data, including backend API endpoints and hardcoded Firebase database URLs, within the APK resources of some apps.
Furthermore, the researchers discovered that many of the vulnerable apps use cryptographically insecure methods for generating session tokens or encryption keys, leaving users' therapy records and other sensitive information exposed. The lack of root detection in several apps also posed a significant risk, as any app with root privileges could potentially access all health data stored locally on the device.
The study highlights the need for greater scrutiny and testing of mental health apps, which often collect and store highly sensitive personal data. "Mental health data carries unique risks," notes Sergey Toshin, founder of mobile security company Oversecured. "On the dark web, therapy records sell for $1,000 or more per record, far more than credit card numbers."
The researchers emphasize that while none of the discovered issues are critical, many can be leveraged to compromise user privacy and data security. The fact that only four of the ten analyzed apps received an update as recently as this month raises concerns about the effectiveness of the app developers' response to vulnerability disclosure.
The collective download count for the affected apps exceeds 14.7 million, making them some of the most popular mental health tools available on Google Play. As users become increasingly aware of the importance of data security and online privacy, it is essential that app developers prioritize these concerns and take proactive steps to address any identified vulnerabilities.
In light of this recent discovery, users are advised to exercise caution when using mental health apps and to stay informed about the latest security updates and patches. By taking these precautions, individuals can protect their sensitive information and maintain confidence in the tools they use to manage their mental well-being.
Related Information:
https://www.ethicalhackingnews.com/articles/Security-Flaws-Exposed-in-147M-Downloaded-Android-Mental-Health-Apps-ehn.shtml
https://www.bleepingcomputer.com/news/security/android-mental-health-apps-with-147m-installs-filled-with-security-flaws/
https://blog.oversecured.com/Security-researchers-find-vulnerabilities-in-mental-health-apps/
Published: Mon Feb 23 17:17:33 2026 by llama3.2 3B Q4_K_M
