AI's New Era

How Attackers Can Poison the Health Data Your Apps Trust

Research by
Sina Yazdanmehr, Lucian Ciobotaru

Modern health apps share your data through a single hub on your phone. We showed how AI lets an attacker quietly poison that shared data, faking a diabetic's blood sugar, a user's fertile window, or their calorie intake, and how to stop it.

The Real Shift: AI Lowers The Bar For Attackers

AI cuts both ways in security. It creates new attack surfaces like prompt injection, data poisoning, and jailbreaking that target AI systems directly, and it supercharges familiar ones, from deepfakes and phishing to auto-generated malware.

The deeper change is subtler. Sophisticated attacks used to demand rare domain expertise: to manipulate medical data convincingly, you had to understand medicine but AI collapses that barrier. Given enough data and cheap computing power, it can build deep, domain-specific knowledge in minutes, then act on it in seconds and across many targets at once.
An attacker with no medical background can now run an attack that would previously have required a specialist.

Healthcare is a natural target. It is heavily digitized, full of medical and wellness apps, and awareness of this class of attack is still low.

The Case Study: Google Health Connect

To make the risk concrete, we looked at Google Health Connect, Android's shared health database, launched in early 2024 to replace Google Fit. It stores health data on the user's own device and acts as a common hub: fitness, wellness, and medical apps connect to it and read or write records such as vitals, body measurements, and nutrition. Hundreds of apps already use it.

Health Connect is, in effect, a shared database. Connected apps request read and write access per data type, and the platform enforces only minimal sanity checks, for example, that body weight is above zero.

The Attack: Poison The Shared Record

A malicious app doesn't need to break Health Connect. It only needs access to it, either as a legitimate app that has been hijacked, or as a fake app published on the Play Store that requests health permissions. From there the attack has three steps, and AI does the hard part.

First, the malicious app reads the victim's existing records, the past 30 days of data, plus the names of the other apps they use.

Second, an AI engine analyzes those records to identify the person's condition and goals, then determines precisely which fake values will skew the outcome, and the app writes those records back into Health Connect.

Third, the trusted apps the person actually relies on consume the poisoned data and present it as real.

The reason this works is disarmingly simple: neither Health Connect nor the connected apps check whether a value is medically possible, or where it came from. In one proof of concept, a malicious app logged 20,000 steps in two minutes, and a trusted fitness app cheerfully displayed "20,000 of 10,000 steps walked."

What We Demonstrated

We built this attack against three common categories of health app. In each case, the AI tailored the fake data to the victim's own records.

For a diet and weight app, the goal was to make the user appear to stay within a calorie deficit.
The AI inferred the person's metabolic rate and routine, then inserted records that shifted their apparent daily intake while keeping the graph looking natural, so the app told them they were on track when they weren't.

For a family planning app, the goal was to mislead users about their fertile window. Our model predicted a user's menstrual cycle with roughly 95% accuracy from a few months of data, then inserted a fake positive ovulation test to move the displayed fertile period.
Because neither the app nor Health Connect verifies the source of the data, the app showed a fabricated window, raising the risk of unintended pregnancy by up to 85% for anyone relying on the calendar method.

For a diabetes management app, the goal was to hide dangerously high blood sugar so the user would skip insulin. The AI predicted the person's glucose levels with a ~9.7% error margin and inserted readings that always landed in the normal range, concealing every real spike. Left uncorrected over time, that kind of manipulation raises the risk of serious diabetes complications, heart, kidney, nerve, and vision damage, by up to 80%.

What Should Be Done

The fix is not to abandon shared health platforms, but to stop trusting data blindly. Responsibility is shared across three groups:

- Users should grant Health Connect permissions only to apps they trust, cross-check important readings against another source or a clinician before acting on them, and periodically review Health Connect logs for records they don't recognize.

- The platform should require trusted sources for critical metrics (limiting something like blood sugar to verified devices or apps), enforce physiological limits that reject impossible values, and flag irregular input patterns.

- App developers should restrict high-impact metrics to recognized sources, apply context-based checks (for instance, verifying that a large calorie burn matches a long or high-intensity activity), and validate that every entry falls within a realistic human range before using it.

The Bigger Picture

AI has changed cybersecurity, and one of its most important effects is that attackers can now execute complex, domain-specific attacks without domain expertise.

That is a cross-sector risk, and healthcare, where a manipulated number can change a treatment decision, is among the most exposed. The defense is to design systems that are resilient to this: validate where data comes from, and whether it's even possible, before anything is allowed to depend on it.

Key Takeaway

- AI removes the expertise barrier. An attacker no longer needs medical knowledge. AI learns a victim's health patterns from their own data and calculates exactly which fake values will mislead the apps they rely on, in seconds and at scale.

- Shared health platforms are a soft target. Google Health Connect, used by hundreds of Android health apps, lets almost any connected app write data, and accepts values no human could produce, like 20,000 steps in 2 minutes.

- The harm is physical, not just privacy. We demonstrated attacks that conceal a diabetic's dangerous blood sugar, fake a fertility window (up to +85% unintended-pregnancy risk), and mask real calorie intake, quietly corrupting the apps people trust for health decisions.

- Fix #1: validate the data, not just the permissions. Platforms and apps should limit critical metrics to trusted sources, reject physiologically impossible values, and flag irregular input patterns.

- Fix #2: keep a human in the loop. Grant health permissions only to trusted apps, cross-check important readings with a clinician, and review connected-app logs for anything suspicious.