Android SDK Flaw Exposes Millions

An Android app is supposed to live in its own locked room, with the operating system stopping one app from rummaging through another app’s files. Microsoft says a flaw in a third-party tool called EngageSDK punched a hole through that wall in apps that included the vulnerable code. (microsoft.com) That tool is a software development kit, which is basically a prebuilt parts box developers drop into an app for jobs like push notifications and messaging. If the parts box is flawed, every app that shipped with it can inherit the same weakness without the developer writing that bug themselves. (microsoft.com) The specific bug was an “intent redirection” issue. In Android, an intent is a message one app component uses to ask another component to do something, and Google warns that a bad redirect can let an attacker steer that message into private parts of a vulnerable app. (developer.android.com) Microsoft said the vulnerable library was EngageLab’s EngageSDK, and the dangerous version was 4.5.4. A malicious app on the same phone could abuse that version to bypass the Android sandbox and reach private data that should have stayed sealed off. (microsoft.com, coinpedia.org) The exposure was unusually broad because software development kits spread quietly through supply chains. Microsoft said more than 50 million app installs were at risk, and more than 30 million of those installs were third-party cryptocurrency wallet apps. (microsoft.com, securityweek.com) For wallet apps, the prize was not just a password. Microsoft said personally identifiable information, user credentials, and financial data were exposed to risk, while outside reporting said wallet seed phrases and wallet addresses could also be caught in the blast radius if an attacker chained the bug correctly. (microsoft.com, coinpedia.org) Microsoft said it found the issue in April 2025 and disclosed it to EngageLab and Google’s Android Security Team through coordinated vulnerability reporting. The fix arrived in EngageSDK version 5.2.1 on November 3, 2025, which means the risky code could sit inside production apps for months before every developer updates and republishes. (microsoft.com) Google did not have to wait for every app maker to move first. Microsoft said Android added automatic mitigations for this specific EngageSDK risk, and Google says Google Play Protect scans apps on Android devices and can warn about or block harmful software. (microsoft.com, support.google.com, developers.google.com) Microsoft also said all detected apps using vulnerable versions were removed from Google Play, and it said there was no evidence of active exploitation at the time of writing. That is better than a confirmed breach, but it is still a reminder that a phone app can look fine on the surface while carrying old code from a supplier most users have never heard of. (microsoft.com) The uncomfortable part is how ordinary the setup was. Developers add outside libraries to save weeks of work, but one outdated library for notifications ended up putting tens of millions of installs in the same risk pool, including apps built to guard digital money. (microsoft.com) For users, the practical advice is boring but specific: update apps, keep Google Play Protect on, and avoid installing Android package files from random sites outside Google Play. For developers, the lesson is narrower and harsher: if a software development kit is deprecated, it is not dead code until every shipped app has removed it. (support.google.com, coinpedia.org, microsoft.com)