Android SDK flaw exposed millions
Microsoft disclosed that an outdated Android software‑development kit left more than 50 million users exposed to risks like credential theft and financial data loss. The same disclosure flagged that tens of millions of crypto‑wallet installs were threatened, underlining how a single stale dependency can cascade across payment and identity flows. (techradar.com) (coinpedia.org)
Android apps are often built with software development kits, which are prewritten code bundles that save developers from rebuilding basics like push notifications from scratch. The problem is that the bundle runs inside the app that installs it, so a bug in one shared bundle can spread across millions of phones at once. (microsoft.com) Android also relies on something called an intent, which is just the system’s message slip for telling one app component to open a screen, start a service, or pass data. Google’s developer documentation describes intents as the standard way Android components ask each other to do things. (developer.android.com) Normally, Android keeps each app in its own sandbox, which is like giving every app its own locked room with its own user identity. Google’s Android security documentation says that isolation is enforced with a unique user identifier and separate process boundaries. (source.android.com) Microsoft says the vulnerable code sat in a third-party package called EngageSDK, made by EngageLab and used for push notifications and in-app messaging. Because that package lived inside the host app, it inherited the host app’s permissions and trust level. (microsoft.com, techrepublic.com) The bug was an intent redirection flaw, which means a malicious app on the same phone could send a crafted message that the software development kit treated like an internal command. Microsoft says that let the attacker jump across the normal walls of Android’s sandbox and reach private app data. (microsoft.com, thehackernews.com) That is how a harmless-looking app can become a bridge into a more sensitive one. If the target app stored account details, personal information, or wallet data behind its own permissions, the flawed software development kit could carry the attacker across that boundary. (techrepublic.com, microsoft.com) Microsoft said more than 30 million installations of third-party cryptocurrency wallet apps alone were exposed to risk through this flaw. When Microsoft counted non-wallet apps using the same vulnerable package, the total exposure passed 50 million installs. (microsoft.com, thehackernews.com) The timeline is almost as striking as the bug. Microsoft said it reported the issue in April 2025, and EngageLab fixed it on November 3, 2025 in version 5.2.1 of the software development kit. (microsoft.com) By the time Microsoft published the details on April 9, 2026, it said all detected apps using vulnerable versions had been removed from Google Play. Microsoft also said Android added automatic protections for users who had already downloaded affected apps. (microsoft.com) Microsoft said it has no evidence the flaw was exploited in the wild. But this case shows how one stale dependency in a notification tool can quietly sit inside finance apps, identity apps, and wallet apps until a single bug turns into a supply-chain problem on millions of devices. (microsoft.com)
