AI mental therapy apps on Android found dangerous: Over 1,500 security flaws detected, here’s what 15 million users should do

Millions of Android users relying on mental health apps for therapy, mood tracking, and emotional support may be exposing highly sensitive personal data to potential theft, according to a new security investigation. Mobile security firm Oversecured scanned ten popular mental health apps on Google Play Store, which were downloaded around 14.7 million times globally, and identified a total of 1,575 security vulnerabilities. The investigators warn of 54 high-severity, 538 medium-severity, and 983 low-severity issues.

The apps, which often include AI-powered therapy chatbots and tools for logging moods, journaling, and managing mental health, claim to prioritise user privacy through server-side encryption. However, the research revealed serious flaws that could allow cyber attackers to access private therapy transcripts, mood logs, medication schedules, self-harm indicators, and even HIPAA-protected information in some cases.

AI mental health apps with severe security vulnerabilities found

The researchers found that among the discovered risks were improper handling of external links and commands, enabling attackers to access internal app components such as login tokens and session data. Other issues included:

– Storage of sensitive information (like CBT session notes and journal entries) in locations accessible to other apps on the device.

– Unprotected backend server addresses and weak random number generation for security keys.

– Lack of root detection, making rooted devices particularly vulnerable.

– Exploitation risks such as HTML injection, notification spoofing, credential interception, and user location exposure.

In one app alone, researchers uncovered more than 85 medium- and high-risk flaws. Many of the apps had not received updates in months or even years, with scans conducted in late January 2026 showing persistent problems.

Sergey Toshin, founder of Oversecured, highlighted the exceptional value of this data to cybercriminals. “Mental health data carries unique risks. On the dark web, therapy records sell for $1,000 or more per record, far more than credit card numbers.”

The researchers highlighted that these apps collect some of the most intimate personal information available on mobile devices, making exploitation particularly dangerous.

What Android users should do to stay safe

Although specific app names were not disclosed in the report, the findings raise alarms about the security of wellness and health-related apps on Android. Users of these tools could face unauthorised access to deeply personal records if vulnerabilities are exploited.

Hence, Android users are advised to:

– Check for recent app updates regularly.

– Be cautious with permissions granted to health apps.

– Consider reviews and security reputations when downloading mental health tools.

– Use additional device security measures, such as avoiding rooted phones for sensitive apps.

As mental health apps continue to grow in popularity, users are advised to stay cautious of data privacy and security concerns, even if the apps are downloaded from Google Play’s secure ecosystem.