SDK Flaw Exposed 50M Android Installs
A flaw in the EngageLab SDK exposed over 50 million Android installs — including roughly 30 million crypto wallets — until the vulnerability was patched months after disclosure. The incident underscores how third‑party mobile components can create large, silent risk in fintech and crypto apps. (thehackernews.com)
Android apps are often built like apartments with prefabricated parts: the developer owns the unit, but the locks, pipes, and wiring may come from outside suppliers. In this case, one of those outside parts was a push-notification kit called EngageSDK, and Microsoft said it sat inside apps with more than 50 million installs. (microsoft.com) That kit was not a tiny niche add-on. EngageLab’s own documentation says its Android software development kit supports app push and marketing automation, which means developers use it to send alerts and behavior-based messages inside their apps. (engagelab.com) The flaw lived in how Android apps pass messages to each other. Android calls those messages “intents,” and they work like sealed envelopes telling another part of the phone to open a screen, share data, or perform an action. (securityweek.com) Microsoft said the vulnerable EngageSDK could be tricked into forwarding one of those envelopes with the wrong trust attached. That let a malicious app on the same phone try to use the trusted app’s permissions to reach private data it should not have touched. (microsoft.com) The exposed group was unusually sensitive. Microsoft said crypto wallet apps alone accounted for more than 30 million installs, and when other Android apps using the same vulnerable software development kit were counted, the total passed 50 million installs. (thehackernews.com) SecurityWeek reported that the data at risk included personal information, login credentials, and financial information. In a wallet app, that can mean the difference between a bug report and a drained account. (securityweek.com) The timeline is the part that stings. Microsoft said it reported the issue to EngageLab in April 2025, informed the Android Security Team in May 2025, and the fix did not land until EngageSDK version 5.2.1 on November 3, 2025. (microsoft.com) By the time the story became public on April 9 and April 10, 2026, Microsoft said all detected apps using vulnerable versions had been removed from Google Play. Microsoft also said Android added extra automatic protections so users who had already downloaded a vulnerable app would have additional mitigation while developers updated. (microsoft.com) Microsoft said it had no evidence the flaw was exploited in the wild. But the episode showed a familiar mobile problem: an app can look safe on the surface while a third-party component buried inside it quietly expands the attack surface for millions of phones at once. (microsoft.com) That is why this was bigger than one vendor bug. A single notification library, added as a dependency by many developers, created a shared weak point across finance and crypto apps that users never knew they had installed. (microsoft.com)
