Details have emerged of a patched security vulnerability in a widely used third-party Android software development kit (SDK) called EngageLab SDK that could potentially put millions of cryptocurrency wallet users at risk.
“This flaw allows apps on the same device to bypass the Android security sandbox and gain unauthorized access to private data,” the Microsoft Defender Security Research Team said in a report published today.
The EngageLab SDK provides a push notification service that, according to its website, is designed to deliver “timely notifications” based on user behavior that is already tracked by the developer. Integrating the SDK into your app provides a way to send personalized notifications and drive real-time engagement.
The tech giant said that a significant number of apps that use the SDK are part of the cryptocurrency and digital wallet ecosystem, and that the affected wallet apps account for more than 30 million installs. If you include non-wallet apps built on the same SDK, the number of installs is over 50 million.
Microsoft did not name the apps, but said all detected apps using vulnerable versions of the SDK have been removed from the Google Play Store. Following responsible disclosure in April 2025, EngageLab released version 5.2.1 in November 2025 to address the vulnerability.
This issue was identified in version 4.5.4 and is described as an intent redirection vulnerability. An intent in Android refers to a messaging object used to request an action from another app component.
Intent redirection occurs when the content of an intent sent by a vulnerable app is manipulated by leveraging its trusted context (i.e., permissions) to gain unauthorized access to protected components, expose sensitive data, or escalate privileges within the Android environment.
An attacker could exploit this vulnerability with a malicious app installed on the device through other means to access internal directories associated with the app in which the SDK is integrated, and gain unauthorized access to sensitive data.
There is no evidence that this vulnerability has been exploited in a malicious context. That said, we recommend that developers integrating SDKs update to the latest version as soon as possible, especially considering that even a minor flaw in an upstream library can have a cascading effect that can impact millions of devices.
“This case illustrates how weaknesses in third-party SDKs can have large-scale security implications, especially in high-value areas such as digital asset management,” Microsoft said. “Apps are increasingly reliant on third-party SDKs, creating large and opaque supply chain dependencies. These risks are exacerbated when integrations expose exported components or rely on unverified trust assumptions across app boundaries.”
Source link
