Android SDK exposed millions
Microsoft warned that an outdated third‑party Android SDK (EngageLab/EngageSDK) left more than 50 million users at risk by letting malicious apps abuse trusted permissions and access credentials and financial data, and researchers say the same flaw could expose more than 30 million crypto‑wallet installs. This shows how a single vulnerable SDK can turn ordinary phones and high‑value wallet apps into attack surfaces if apps inherit unsafe permissions. (techradar.com) (cybersecuritynews.com)
Android is supposed to work like an apartment building: each app gets its own locked unit, and one app is not supposed to walk into another app’s files. Microsoft said one widely used Android add-on broke that rule inside apps with more than 50 million total installs. (microsoft.com) That add-on was EngageLab’s EngageSDK, a software development kit developers drop into apps for push notifications and in-app messages. SecurityWeek reported that Microsoft found it inside crypto wallet apps alone with more than 30 million installs. (securityweek.com) A software development kit is a prebuilt part, like buying a ready-made lock instead of machining one yourself. The catch is that the part runs with the same permissions as the app that installs it, so a bug in the part can borrow the app’s trust. (microsoft.com) The bug sat in Android “intents,” which are message slips apps use to ask other parts of the phone to do something. Microsoft said the vulnerable SDK let a malicious app on the same device tamper with those slips and make the trusted app carry out the wrong action. (microsoft.com) The weak point was an exported activity called MTCommonActivity, which means a component other apps could reach from outside. Microsoft said that component only showed up in the merged Android manifest after build, so developers could miss it while thinking their own app stayed locked down. (microsoft.com) Once that door was open, the malicious app did not need to crack the victim app directly. Microsoft said it could trick the victim app into opening internal components with the victim app’s own privileges, which put personal data, login credentials, and financial information at risk. (microsoft.com) Crypto wallet apps made the flaw more dangerous because those apps often store seed phrases, account details, transaction history, or authentication material behind extra permissions. Microsoft said the same SDK bug could have exposed exactly those high-value targets because the wallet app would be doing the privileged work on the attacker’s behalf. (microsoft.com) Microsoft said it found the bug in EngageSDK version 4.5.4 in April 2025, reported it to EngageLab that month, and alerted the Android Security Team in May 2025 because affected apps were on Google Play. EngageLab fixed it on November 3, 2025 in version 5.2.1 by marking the vulnerable activity as non-exported. (microsoft.com) By the time Microsoft published the case on April 9, 2026, it said all detected apps using vulnerable versions had been removed from Google Play. Microsoft also said Android added automatic protections for users who had already downloaded affected apps. (microsoft.com) Microsoft said it had no evidence the flaw was exploited in the wild. The bigger warning is that modern apps are built from stacks of outside code, and one hidden component in one popular kit can quietly turn a banking app, a wallet app, or a shopping app into a bridge for data theft. (microsoft.com)
