EngageLab SDK Flaw Exposed 50 Million Android Users, Including 30 Million Crypto Wallet Installs
By Ravie Lakshmanan — April 9, 2026
A critical security vulnerability discovered in the widely used EngageLab SDK for Android has potentially exposed over 50 million users to data breaches, including more than 30 million installations of cryptocurrency wallet applications. The flaw, now patched, posed a significant risk by enabling unauthorized access to sensitive private data on affected devices.
Vulnerability Overview
The EngageLab SDK, a third-party software development kit known for its push notification capabilities, is integrated into numerous Android applications to deliver "timely notifications" tailored to individual user behaviors. While this enhances user engagement and personalization, the Microsoft Defender Security Research Team revealed that a serious security weakness allowed malicious actors to bypass the Android security sandbox.
The vulnerability, classified as an intent redirection issue, emerged in EngageLab SDK version 4.5.4. Android intents are messaging objects used to request actions between app components. When exploited, this flaw permitted apps sharing the same device to manipulate intents and gain unauthorized access to private directories and sensitive information within apps incorporating the SDK.
Impact on Cryptocurrency Wallet Apps
Microsoft highlighted that many apps employing the EngageLab SDK belonged to the cryptocurrency and digital wallet sectors—industries managing high-value digital assets and requiring stringent security protocols. Among these apps affected, over 30 million installations were cryptocurrency wallets, with total installs of all vulnerable SDK-based apps exceeding 50 million.
This discovery raised alarm due to the nature of the data at risk, including digital wallets that hold cryptocurrencies. Unauthorized access through this vulnerability could have allowed attackers to harvest sensitive user information or potentially compromise wallet security.
Responsible Disclosure and Mitigation
The Microsoft Defender team disclosed the vulnerability responsibly in April 2025. In response, EngageLab released an updated SDK version 5.2.1 in November 2025, addressing the issue and protecting users from potential exploits. Following the patches, all affected apps containing the vulnerable SDK versions were removed from the Google Play Store.
Microsoft has not publicly named the specific applications impacted but emphasized the importance for developers to promptly update to the latest SDK version to avoid cascading security consequences, especially since even minor flaws in upstream libraries can affect millions of devices.
Technical Details and Risk Evaluation
The core of the vulnerability lies in how the EngageLab SDK handled Android intents. Attackers could deploy a malicious app on the same device to intercept or redirect intents from vulnerable apps, leveraging their elevated permission context to:
- Access internal directories
- Extract confidential data
- Escalate privileges beyond intended boundaries
Although there has been no evidence of active exploitation in the wild, the nature of the flaw underscores the risks posed by trust assumptions in third-party SDKs.
"This case shows how weaknesses in third-party SDKs can have large-scale security implications, especially in high-value sectors like digital asset management," Microsoft noted. "Apps increasingly rely on third-party SDKs, creating large and often opaque supply-chain dependencies. These risks increase when integrations expose exported components or rely on trust assumptions that aren’t validated across app boundaries."
Recommendations for Developers and Users
Developers are strongly encouraged to:
- Audit their applications for SDK dependencies like EngageLab
- Update to the patched SDK versions immediately
- Employ stricter validation around exported app components and intent handling
Users should remain vigilant with app permissions and keep their applications updated through official stores to reduce potential exposure.
Conclusion
This incident serves as a cautionary tale about the security challenges inherent in relying on third-party SDKs within mobile applications, particularly in sectors handling sensitive financial data such as cryptocurrencies. Continuous scrutiny, timely patching, and responsible disclosure remain vital in safeguarding the mobile ecosystem.
For ongoing updates and expert cybersecurity insights, follow The Hacker News on Google News, Twitter, and LinkedIn.
© 2026 The Hacker News. All Rights Reserved.