Security exposures in consumer and mobile apps: robot vacuum account takeover and widespread mental-health app flaws
A security flaw in DJI Romo robot vacuums allowed unauthorized access to thousands of devices after a user reverse-engineered the device-to-cloud protocol to build a custom controller app. By obtaining the private token for their own vacuum, the researcher reported they could access backend servers across regions and inadvertently gained control of roughly 6,700 vacuums, with potential access to floor plans, live camera/microphone feeds, and remote control functions; DJI issued server-side/firmware updates that required no user action, though the researcher reported at least two issues remained (including video streaming without a PIN and another undisclosed high-severity problem). Separately, mobile security researchers reported that popular Android mental health apps (about 14.7M installs across ten apps) contained 1,575 vulnerabilities—mostly low/medium severity but including 54 high-severity findings—creating risk of exposure of sensitive therapy data via issues such as credential interception, notification spoofing, HTML injection, and user location leakage.
Optimizely also confirmed a data breach following a vishing (voice-phishing) attack that provided attackers access to some internal systems and resulted in theft of basic business contact information from internal business systems/CRM and limited back-office documents; the company said attackers could not escalate privileges, install software, or establish backdoors, and it reported no evidence of access to sensitive customer data beyond contact details. While the Optimizely incident is distinct from the consumer-device and mobile-app vulnerability disclosures, it reinforces the operational risk of social engineering and the likelihood of follow-on phishing using stolen contact data.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Mental health app findings disclosed during coordinated vendor notification
By late February 2026, Oversecured had privately notified affected vendors about the vulnerabilities in the 10 Android mental health apps while withholding app names during coordinated disclosure. Public reporting said remediation status was still unclear and that the apps collectively had more than 14.7 million installs.
DJI remediates reported robot vacuum server-side security issue
After Azdoufal reported the vacuum access issue, DJI deployed updates that remediated the flaw without requiring user action. The researcher said some problems still remained, including the ability to stream video without a security PIN and another undisclosed severe issue.
Researcher discovers broad access flaw in DJI Romo robot vacuums
While reverse engineering his own DJI Romo robot vacuum to control it with a PlayStation controller, Sammy Azdoufal uncovered a security flaw that exposed access to roughly 6,700 vacuums worldwide. The issue allowed retrieval of floor plans, access to live camera and microphone feeds, and remote control of devices across regions including the U.S., Europe, and China.
Oversecured scans 10 Android mental health apps and finds 1,575 flaws
On January 22–23, 2026, mobile security firm Oversecured analyzed 10 popular Android mental health apps from Google Play and identified 1,575 vulnerabilities, including dozens of high-severity issues. The flaws affected areas such as local storage, authentication, inter-app communication, encryption, and backend connectivity, with potential exposure of sensitive therapy and medical data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Millions at Risk as Android Mental Health Apps Expose Sensitive Data
techrepublic.com
Open sourceMental health apps vulnerable, exposing sensitive user data | SC Media
scworld.com
Open sourceUser accidentally gains control of over 6,700 robot vacuums while tinkering with their own device to enable control with a PlayStation controller - security flaw reveals floor plans and live video feeds | Tom's Hardware
tomshardware.com
Open sourceAndroid mental health apps with 14.7M installs filled with security flaws
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Consumer and IoT privacy exposures from insecure device data handling and wireless identifiers
Multiple disclosures highlighted privacy and safety risks stemming from insecure data handling in connected devices and services. A server-side storage weakness in **DJI Romo robot vacuums** allowed a researcher to obtain access tokens for more than **6,700** other vacuums and view sensitive user data such as **home floor plans**, **live video feeds**, and **microphone input**; reporting indicated some issues were patched, but residual risk remained (e.g., the ability to stream video without a security PIN). Separately, the game *Dungeon Crusher* exposed user information after a **misconfigured Elasticsearch** instance leaked **24.5 million** in-game chat records and purchase-related data, including **IP addresses**, **email addresses**, and **partial payment card details**, creating downstream risk for fraud and targeted phishing. Academic research also demonstrated how everyday systems can leak exploitable signals or be manipulated in the physical world. UC Irvine researchers presented **FlyTrap**, a physical-world attack against **autonomous target-tracking drones** in which AI-generated umbrella patterns can cause drones to approach an attacker closely enough to be captured or crashed, raising concerns for deployments in surveillance and security contexts. IMDEA Networks and partners showed that **Tire Pressure Monitoring System (TPMS)** sensors broadcast a fixed **unique ID** in cleartext radio signals, enabling low-cost receiver networks to track vehicles over time without line-of-sight, based on signals collected from **20,000+ vehicles** during a multi-week study.
Mar 21, 2026
Large-Scale Data Exposures Driven by Misconfigured Cloud Datastores
Cybernews researchers reported multiple **data exposures caused by misconfigured back-end services**, including consumer mobile apps and a large unprotected database. Three widely downloaded Android AI photo identification apps—*Insect Identifier by Photo Cam*, *Dog Breed Identifier Photo Cam*, and *Spider Identifier App by Photo*—reportedly leaked more than **150,000** users’ data via a **Firebase misconfiguration** with inadequate authentication/access controls. Exposed data included email addresses, usernames, profile photos, notification tokens, and **GPS coordinates**; while passwords were not found, researchers noted the location data could enable stalking, doxxing, and targeted scams, and observed indications that automated bots had already discovered the exposed databases prior to the investigation. The apps were attributed to publisher **MobilMinds** (linked to **OZI Technologies**), and the developers reportedly did not respond to requests for comment. Separately, Cybernews identified an **unprotected Elasticsearch cluster** exposing approximately **8.7 billion records** associated with China, including names, birthdates, home addresses, national ID numbers, social media identifiers, usernames, and other account/platform details; the dataset also reportedly contained **plaintext credentials** and corporate/business records, suggesting long-term aggregation. The database’s ownership was not confirmed, but it was subsequently secured; researchers characterized the exposure as a systemic privacy risk potentially affecting hundreds of millions of individuals. Two additional items in the set describe individual bug-hunting writeups (e.g., bypassing mobile controls and abusing password reset/IDOR-style issues) but do not provide verifiable linkage to the specific Firebase/Elasticsearch exposures described above.
Mar 21, 2026
Multiple Actively Exploited Vulnerabilities and Social-Engineering Breaches Reported Across Zoom, SmarterMail, Vite, and Appsmith
Several vendors and security trackers reported **high-impact vulnerabilities** with exploitation risk, alongside separate **social-engineering-driven breaches**. Zoom disclosed a **command injection** issue in Zoom Node Multimedia Routers (MMRs) used in certain hybrid meeting environments, tracked as **CVE-2026-22844** (reported with a high technical severity), which could allow meeting participants to execute arbitrary code; administrators were advised to update to *Zoom* version **5.2.1716.0**. SmarterTools reported a critical **authentication bypass** in *SmarterMail* (**CVE-2026-23760**) that could allow unauthenticated attackers to reset admin passwords via the `force-reset-password` API endpoint and potentially reach OS command execution and full remote code execution; mitigations included upgrading to **Build 9511**, resetting admin passwords, and enabling MFA. Separately, *Vite* was reported as affected by an **improper access control** flaw (**CVE-2025-31125**) enabling exposure of sensitive files by bypassing `server.fs.deny` protections using crafted query parameters (e.g., `?inline&import` or `?raw&import`); the issue was noted as being exploited in the wild and added to the **CISA Known Exploited Vulnerabilities** catalog. SC Media also reported active exploitation of an *Appsmith* **authentication flaw** (**CVE-2026-22794**) tied to the password reset flow, enabling account takeover by leaking reset tokens; defenders were urged to upgrade to **Appsmith 1.93**, which tightens Origin header validation and trusted base URL enforcement. In parallel to these vulnerability-driven risks, the Canadian Investment Regulatory Organization (**CIRO**) disclosed a **phishing-led breach** affecting ~**750,000** investors with exposure of highly sensitive identifiers (including social insurance numbers and investment information), while Betterment confirmed **unauthorized access via social engineering** that exposed customer contact/identity data and was used to send fraudulent cryptocurrency-scam notifications to users.
Mar 21, 2026