Experts from the security firm Oversecured are sounding the alarm, stating that many popular mental health and therapy Android apps on the Google Play Store are causing more harm than good for patients and users.

Android Apps are Putting Users at Risk

The firm analyzed 10 of the most downloaded apps and found that they collectively contain over 1,000 security vulnerabilities, according to a report by Bleeping Computer. Most of these flaws are categorized as high severity, while the remainder are rated medium to low. For example, one app titled AI Therapy Chatbot was flagged for having 23 high-severity bugs alone.

The situation is worsened by the sheer scale of the user base. These apps have been cumulatively downloaded over 14 million times. The leading app in the list, Mood & Habit Tracker, has been installed 10 million times, while many of the remaining apps have over 500,000 downloads each.

Sensitive Information Can Be Stolen

The report highlights that these flaws allow attackers to bypass security measures to access and steal user data, including therapy records, medication schedules, and home addresses.

Some of the described flaws involve developers storing critical database elements in plaintext without additional safeguards. Other apps were found to lack adequate validation when parsing user data or to use insecure key generation, which could allow attackers to force the apps to expose internal data.

Android mental and therapy apps listed with security vulnerabilities
Security firm Oversecured scanned ten popular mental health and therapy apps and discovered thousands of vulnerabilities. Image source: Bleeping Computer / Oversecured

Oversecured noted in the research report that “these apps collect and store some of the most sensitive personal data in mobile: therapy session transcripts, mood logs, medication schedules, self-harm indicators, and in some cases, information protected under HIPAA.”

The report added that cybercriminals can sell stolen therapy records on the dark web, where they often fetch upwards of $1,000 per record. This information is considered far more valuable than credit card numbers.

Beyond the risk of data theft, bad actors can exploit these flaws in multiple ways. They can use loopholes to execute remote code or install malware to extract login credentials, bank account information, and physical addresses.

While these vulnerabilities can often be mitigated through regular app updates, the report highlights a significant issue: very few apps receive regular updates. Many are updated only every few months, and in some cases, years pass between security patches.

What Users Can Do to Protect Themselves

Users are advised to take proactive measures to secure their data. This includes avoiding providing exhaustive personal details to suspicious apps or websites. Additionally, users should avoid apps that lack a history of regular updates or come from unverified developers.

Maintaining an updated Android phone or tablet by installing the latest security firmware and Android OS versions is also critical. If a device is no longer receiving updates, it is highly recommended to upgrade to a newer model or avoid using the device for financial apps and sensitive personal information.

Have you checked your phone to see if you have these apps installed? Share your findings in the comments below.

We mark partner links with this symbol. If you click on one of these links or buttons–or make a purchase through them–we may receive a small commission from the retailer. This doesn’t affect the price you pay, but it helps us keep nextpit free for everyone. Thanks for your support! Prices are based on the date of publication of this article and may be subject to change.