When Mental Health Apps Become Security Nightmares: The Trust Problem We Can't Ignore
When Mental Health Apps Become Security Nightmares: The Trust Problem We Can’t Ignore
I’ve been tracking some concerning developments this week that highlight a disturbing pattern in our industry - the gap between when breaches happen and when people actually find out about them. But what really caught my attention was how this plays out in one of the most sensitive areas imaginable: mental health applications.
The Mental Health App Crisis
Here’s something that should make us all uncomfortable: several Android mental health apps with a combined 14.7 million downloads are riddled with security vulnerabilities that could expose users’ most private medical information. Android mental health apps with 14.7M installs filled with security flaws
Think about what this means for a moment. We’re talking about people who are already vulnerable, seeking help for depression, anxiety, PTSD, or other mental health conditions. They’re trusting these apps with their deepest struggles, therapy notes, mood tracking data, and potentially even crisis intervention communications. Now imagine that data in the wrong hands.
What makes this particularly frustrating is that these aren’t sophisticated zero-day exploits. We’re dealing with fundamental security flaws - the kind that should have been caught during basic security reviews. It’s a stark reminder that when we rush products to market without proper security consideration, real people get hurt.
The Notification Gap Problem
This ties directly into something Troy Hunt highlighted in his latest weekly update - there’s a recurring theme around the gap between breaches happening and victims finding out about them. Weekly Update 492 While it’s easy to point fingers at the companies that got breached, Hunt makes a fair point that these organizations are simultaneously dealing with criminal intrusions, ransom demands, and the complex logistics of incident response.
But here’s where I think we need to push back a bit. Yes, breach response is complicated, but that’s exactly why we need better preparation and clearer communication protocols. When you’re dealing with mental health data or other sensitive personal information, every day that passes without notification increases the potential harm to individuals.
Old Tricks, New Profits: ATM Jackpotting Resurges
Meanwhile, cybercriminals are proving that sometimes the old ways are still the best ways. ATM jackpotting attacks surged in 2025, costing banks over $20 million in losses. Spitting Cash: ATM Jackpotting Attacks Surged in 2025
What’s interesting here isn’t just the financial impact - it’s that criminals are using many of the same tools and tactics they’ve been wielding for more than a decade. This tells us something important about our defensive strategies. If attackers can keep succeeding with decade-old techniques, we’re not adapting our defenses quickly enough.
ATM jackpotting typically involves either physical access to install malware or exploiting network vulnerabilities to send commands that force the machine to dispense cash. The fact that these attacks are increasing suggests that either our physical security around ATMs isn’t keeping pace, or we’re still not addressing fundamental network security issues in these systems.
APT28’s European Campaign: When Legitimate Services Become Weapons
On the nation-state front, APT28 (that persistent Russian threat group) has been busy targeting Western and Central European entities through what researchers are calling “Operation MacroMaze.” APT28 Targeted European Entities Using Webhook-Based Macro Malware
This campaign, active from September 2025 through January 2026, is particularly noteworthy because it relies on basic tooling and the exploitation of legitimate services. APT28 is using webhook-based macro malware - essentially turning legitimate web services into command and control infrastructure.
This approach is brilliant from an attacker’s perspective because it blends in with normal web traffic and makes detection much harder. When malware communicates through legitimate services, it doesn’t trigger the same network monitoring alerts that traditional C2 communications would.
What This Means for Our Daily Work
These stories aren’t just interesting news items - they represent patterns we need to address in our own organizations. The mental health app vulnerabilities remind us that security reviews need to be mandatory, not optional, especially when dealing with sensitive data. The breach notification delays highlight our need for better incident response planning and communication strategies.
The ATM jackpotting resurgence should make us question whether we’re getting too focused on sophisticated threats while leaving basic security gaps unaddressed. And APT28’s use of legitimate services as attack infrastructure means we need to rethink how we monitor and analyze network traffic.
As security professionals, we often get caught up in the latest threats and cutting-edge attack techniques. But this week’s news reminds us that sometimes the most damaging attacks exploit the basics we thought we had covered.