Crypto wallet SDK flaw
A vulnerability in an Android library called EngageSDK reportedly exposed over 30 million crypto-wallet users to risks such as theft and data exposure via an intent-redirection flaw that lets other apps on the device interfere. The issue is a reminder that mobile dependency and SDK supply-chain risks remain acute for financial and crypto apps. Developers shipping wallets or custodial tooling need to account for platform-level threat models and untrusted third-party code. (cybersecuritynews.com)
Android apps are built like Lego sets: a wallet maker writes the app, then snaps in outside code for things like push notifications. In this case, one of those pieces was EngageLab’s EngageSDK, and Microsoft said a flaw in it put more than 30 million crypto-wallet installs at risk. (microsoft.com) The bug sat in Android’s “intent” system, which is the handoff note one app component uses to ask another component to do something. GitHub’s CodeQL documentation says intent redirection happens when an exported component accepts a user-controlled handoff note and launches something else with the app’s own trust. (codeql.github.com) That is like a bank teller accepting a sealed envelope from a stranger and delivering it through the employee-only door because the teller’s badge opens it. Microsoft said a malicious app on the same phone could abuse the vulnerable SDK to bypass Android’s sandbox and reach private data. (microsoft.com) The software development kit was not the wallet itself. SecurityWeek reported that EngageSDK is a third-party dependency developers embedded in Android apps, and Microsoft said many of those apps were in the cryptocurrency wallet ecosystem. (securityweek.com) Microsoft said the exposed data could include personally identifiable information, login credentials, and financial information. The Hacker News reported that when non-wallet apps using the same kit are counted too, the total exposure rose past 50 million installs. (microsoft.com) (thehackernews.com) The vulnerable release was version 4.5.4, according to Microsoft and The Hacker News. Microsoft said it disclosed the issue to EngageLab in April 2025, and the fixed version, 5.2.1, was available by November 3, 2025. (microsoft.com) (thehackernews.com) Microsoft also said it has no evidence the flaw was exploited in the wild. But it still said all detected apps using vulnerable versions were removed from Google Play, which tells you the risk was serious enough to trigger store-level action. (microsoft.com) Android added automatic protections for the specific EngageSDK risk, and Microsoft said users who had already downloaded a vulnerable app are covered by those mitigations. That means Google and Android moved to reduce danger on devices while developers worked through updates. (microsoft.com) The deeper problem is that wallet apps handle seed phrases, credentials, and transaction approvals, but they often import outside code written for marketing or messaging features. Microsoft’s write-up says those third-party software development kits create opaque supply-chain dependencies, where one weak link can quietly spread into millions of phones. (microsoft.com) The fix is not “be careful” in the abstract. GitHub’s CodeQL guidance says developers should avoid exporting components that forward user-provided intents, or strictly check who sent the request and exactly which destination component can be opened. (codeql.github.com) So the story here is not just one Android bug from April 2026. It is that a push-notification library from one vendor could become a path into crypto-wallet data on another company’s app, because on mobile, borrowed code inherits the trust of the app that ships it. (microsoft.com)
