EngageLab SDK Vulnerability Exposed Personal Data of 50 Million Android Users, Including 30 Million Cryptocurrency Wallets
April 9, 2026 — By Ravie Lakshmanan
A critical security flaw discovered in the widely used EngageLab Software Development Kit (SDK) for Android has potentially put the personal data of up to 50 million users at risk, including more than 30 million installations of cryptocurrency wallet apps. The vulnerability, now patched, highlights the ongoing risks posed by third-party software components embedded in mobile applications, especially those handling sensitive financial information.
What Is EngageLab SDK and the Nature of the Vulnerability?
EngageLab SDK is a third-party development tool widely integrated into various Android apps to provide personalized push notification services. Its functionality enables developers to send real-time, behavior-based notifications designed to improve user engagement.
However, a vulnerability recently identified in EngageLab SDK versions starting from 4.5.4 allows apps installed on the same device to circumvent Android’s security sandbox. In technical terms, this flaw is classified as an intent redirection vulnerability. Android intents are messaging objects that apps use to request actions from other components. The flaw enables malicious apps on the device to manipulate these intents and leverage trusted permissions to gain unauthorized access to sensitive data or escalate privileges, breaching boundaries that are supposed to isolate apps from each other.
Impact on Cryptocurrency Wallet Users and Other Apps
Microsoft’s Defender Security Research Team, which reported the flaw, revealed that a significant share of apps running this vulnerable SDK belong to the cryptocurrency and digital wallet sector. With over 30 million installations of such wallet apps estimated to be affected, plus additional apps using the SDK, the total impacted user base could exceed 50 million Android devices globally.
The compromised data could have included private financial details, making this a particularly high-risk issue for users managing digital assets. Though Microsoft did not disclose specific app names, all identified affected apps have since been removed from the Google Play Store to prevent further exposure.
Disclosure and Patch Status
After responsible disclosure in April 2025, EngageLab addressed the vulnerability and released a fixed version of their SDK, version 5.2.1, in November 2025. Developers are strongly urged to update their apps to this latest version immediately to safeguard their users. Microsoft’s research found no evidence indicating the flaw had been exploited in the wild prior to the patch, yet the potential for misuse remains significant given the scale of vulnerable installations.
Broader Implications for Mobile Security and Third-Party SDKs
"This case shows how weaknesses in third-party SDKs can have large-scale security implications, especially in high-value sectors like digital asset management," Microsoft commented. The incident underscores the increasing reliance on external SDKs by app developers, which often creates opaque supply chain dependencies. Risks multiply particularly when these integrations involve exported app components or trust assumptions that are not consistently enforced across app boundaries.
Security experts emphasize that even seemingly minor vulnerabilities in upstream libraries or SDKs have the potential to cascade through millions of devices, elevating the importance of rigorous third-party component vetting in app development.
Recommendations for Users and Developers
-
Developers: Immediate upgrade to EngageLab SDK version 5.2.1 or later is critical. Review app permissions and sanitize intent handling to avoid similar intent redirection problems. Implement comprehensive security audits of all integrated third-party components.
-
Users: Keep apps updated, especially digital wallet and financial apps. Review app permissions regularly and avoid installing unknown or suspicious apps that could exploit vulnerabilities in co-resident apps.
Final Thoughts
As mobile apps grow increasingly complex and dependent on third-party SDKs, this incident is a stark reminder of the security challenges inherent in supply chain dependencies. The EngageLab SDK vulnerability serves as a cautionary tale for both developers and users about the need for vigilant software practices, particularly in sectors dealing with sensitive data such as cryptocurrency.
For ongoing updates on cybersecurity vulnerabilities and expert insights, follow us on Google News, Twitter, and LinkedIn.
This article was originally published by The Hacker News, the #1 trusted cybersecurity news platform.