Android SDK flaw exposed

Android is supposed to work like an apartment building where every app gets its own locked unit, and Microsoft said a flaw in a third-party tool called EngageSDK let one app reach into another app’s private space on the same phone. The company disclosed the bug on April 9, 2026 and said it affected a widely used Android software development kit, which is the bundle of prewritten code many app makers plug into their apps. (microsoft.com) That bundle used Android “intents,” which are the message slips apps pass to each other when they want something done, like opening a screen or sharing a file. Google’s Android developer docs describe intents as the standard way app components communicate, which is why a mistake there can spread across many apps at once. (developer.android.com) Microsoft said the specific mistake was an “intent redirection” bug in EngageSDK that let a malicious app bypass Android’s sandbox, which is the wall meant to keep one app’s data separate from another’s. In Microsoft’s description, the bad app could gain unauthorized access to private data even though Android’s whole design is built around keeping apps isolated. (microsoft.com) The scale came from where the code lived, not from one famous app getting hacked. Microsoft said crypto wallet apps alone accounted for more than 30 million installations using the vulnerable software development kit, and it warned that personally identifiable information, user credentials, and financial data were put at risk. (microsoft.com) Microsoft said it found the issue in April 2025, notified EngageLab and Google’s Android Security Team, and the vendor fixed it on November 3, 2025 in EngageSDK version 5.2.1. That means the dangerous code sat in the supply chain for months, inside a component many app developers likely treated like a trusted spare part. (microsoft.com) The company also said all detected apps using vulnerable versions were removed from Google Play, which is Google’s main Android app store. Google’s own support pages say Google Play Protect scans apps during install and keeps scanning devices afterward, which is why Microsoft said users who had already downloaded a vulnerable app received added protection while developers updated. (microsoft.com) (support.google.com) Microsoft added one important line: as of April 9, 2026, it said it had no evidence the bug had been exploited in the wild. That does not mean the flaw was harmless; it means researchers found a working path to sensitive data before they saw proof of criminals using it at scale. (microsoft.com) Crypto coverage latched onto this story because wallet apps store the keys to money, not just login details. Coinpedia reported that seed phrases and wallet addresses were part of the exposure scenario described around affected wallet apps, which is why this landed as more than a routine Android patch note for people holding digital assets on phones. (coinpedia.org) The bigger lesson is that mobile apps now depend on layers of outside code that users never see and developers do not always audit line by line. Microsoft said third-party software development kits create “large and often opaque” dependencies, so one vendor’s bug can turn millions of ordinary app installs into a shared security problem. (microsoft.com) For users, the practical checklist is short: update wallet and finance apps, keep Google Play Protect on, and avoid installing Android package files from random websites. Google says Play Protect is on by default and can block unverified apps that ask for sensitive permissions, which is exactly the kind of extra filter you want when a hidden software development kit turns out to be the weak link. (support.google.com)