Critical Flaw in EngageLab SDK Exposed 50 Million Android Users and Crypto Portfolios

TL;DR

A critical security vulnerability in the EngageLab SDK allowed malicious apps to bypass the Android security sandbox and steal private data. The flaw affected over 50 million installations, including 30 million cryptocurrency wallet users. While a patch (v5.2.1) is now available and vulnerable apps have been removed from the Play Store, the incident highlights the massive supply-chain risks posed by third-party SDKs in high-value sectors.

Overview of the Vulnerability

The Microsoft Defender Security Research Team recently disclosed a significant security flaw in the EngageLab SDK, a popular third-party tool used by Android developers to integrate push notification services.

According to researchers, the vulnerability allowed local apps on the same device to bypass the standard Android security sandbox. By breaking this isolation, a malicious application could gain unauthorized access to the private data of other apps sharing the SDK infrastructure.

Impacts on the Crypto Ecosystem

The scale of the exposure is particularly alarming due to the sensitive nature of the affected apps. Microsoft reported that a significant portion of the apps utilizing the EngageLab SDK belong to the cryptocurrency and digital wallet ecosystem.

30 Million+ installations were identified specifically as crypto wallet applications.
50 Million+ total installations were affected when including non-wallet apps.

Because digital wallets manage high-value assets, a sandbox bypass of this nature could theoretically allow an attacker to target private keys, seed phrases, or other sensitive financial data stored within the app’s internal directories.

Technical Breakdown: Intent Redirection

The flaw, discovered in version 4.5.4 of the SDK, is classified as an intent redirection vulnerability.

In the Android operating system, "Intents" are messaging objects used to request actions from other app components. The vulnerability occurs when a vulnerable app's "trusted context" (its granted permissions) is exploited.

How the attack works:

A user unknowingly installs a malicious app on their device.
The malicious app exploits the EngageLab SDK's handling of Intents.
By manipulating the Intent contents, the attacker leverages the SDK's permissions to access internal directories of the target app.
The attacker can then extract sensitive data or escalate privileges within the Android environment.

Remediation and Timeline

Microsoft followed a responsible disclosure process, alerting EngageLab to the issue in April 2025.

November 2025: EngageLab released version 5.2.1 to address the flaw.
Present Day: Microsoft confirmed that all apps detected using the vulnerable versions of the SDK have been removed from the Google Play Store.

While Microsoft did not name the specific apps affected, they noted that there is currently no evidence that this vulnerability was exploited by malicious actors before it was patched.

The Growing Risk of SDK Supply Chains

This incident serves as a stark reminder of the "opaque" nature of modern app development. Developers often rely on third-party SDKs to drive engagement and deliver features quickly, but these integrations create cascading security risks.

"This case shows how weaknesses in third‑party SDKs can have large‑scale security implications, especially in high‑value sectors like digital asset management," Microsoft stated in their report.

Conclusion

Though the immediate threat has been mitigated by the release of version 5.2.1 and the removal of vulnerable apps from the Play Store, the EngageLab flaw underscores a vital lesson for developers: security is only as strong as the weakest link in the supply chain. Developers using EngageLab are urged to ensure they have updated to the latest version to protect their users from potential privilege escalation and data theft.

Source: https://thehackernews.com/2026/04/engagelab-sdk-flaw-exposed-50m-android.html