Apps installed 14.7 million times from Google Play Store can leak your medical data

If you’re suffering from mental health problems so severe that your doctor suggests that you use mental health apps to feel better, you need to be alert. Some of these apps, with millions of downloads rung up in the Google Play Store, have security vulnerabilities that can expose sensitive medical conditions that users have. One particular app was discovered by researchers to carry an incredible number of vulnerabilities including over 85 medium- and high-severity flaws.

Apps designed to help those with mental health problems leak patients’ therapy programs, meds, and more

The issue with these flaws, like most vulnerabilities, is that they can be exploited, leaving attackers with access to personal therapy information belonging to Android users. Some apps considered to be problematic include AI apps designed to help those with clinical depression, various forms of anxiety, bipolar disorder, stress, and panic attacks. Even though these apps contain sensitive information that no patient would want to see exposed, six of the 10 apps analyzed by researchers state that they use encryption to keep sensitive data safe.

Mobile security firm Oversecured scanned 10 mobile apps and discovered a total of 1,575 security vulnerabilities with 54 rated high-severity, 538 medium-severity, and 983 low-severity. Oversecured founder Sergey Toshin explained how the stolen patient data gets monetized, “On the dark web, therapy records sell for $1,000 or more per record, far more than credit card numbers,” he said. Oversecured said, “Since these internal activities often handle authentication tokens and session data, exploitation could give an attacker access to a user’s therapy records.”

Oversecured breaks down 10 mental health related apps looking for vulnerabilities. | Image by BleepingComputer

These apps had a total of 14.7 million installations from the Google Play Store

An AI therapy chatbot had the largest number of high-severity vulnerabilities at 23. With a total of 337 flaws, the most among the 10 apps scanned, a Mood & habit tracker found itself at the top of the list. The problem with these vulnerabilities is that they can be used to intercept and steal users’ login credentials, trick users by sending them spoofed notifications, and figure out the location of the user.

Six of the 10 apps analyzed by Oversecured might have had no high-severity findings, but still had enough medium-severity issues that made them security risks overall. The researchers found that these apps collect and store such sensitive information as transcripts for therapy sessions, medication schedules, mood logs, self-harm indicators, and information protected under HIPAA regulations.

If you use an app to help with your mental health, make sure that you are not giving away sensitive personal information. Do not respond to texts, emails, and calls seeking personal data such as Social Security numbers and information related to your financial apps.