Android SDK Exposure
Microsoft warned that a deprecated Android software‑development kit exposed more than 50 million users to potential credential and financial data theft, highlighting third‑party code as a key attack surface (techradar.com). Reports note the same SDK put roughly 30 million crypto‑wallet installs at risk, and a separate legal firm announced an investigation into a Figure Lending breach affecting nearly one million users — a pattern that ties privacy incidents to vendor and dependency management (coinpedia.org, prnewswire.com).
An Android software development kit is a prebuilt bundle of code that app makers drop into their apps so they do not have to build every feature from scratch. Microsoft said one of those bundles, called EngageSDK from EngageLab, let another app on the same phone jump past Android’s normal walls and reach private data. (microsoft.com) Those walls are Android’s sandbox, which is supposed to keep one app from rummaging through another app’s files like a neighbor trying random keys on apartment doors. Microsoft said the flaw was an intent redirection bug, meaning a malicious app could abuse trusted app-to-app messages to get access it should not have had. (microsoft.com) Microsoft said the vulnerable code had been installed more than 50 million times across affected Android apps. In crypto wallet apps alone, Microsoft counted more than 30 million installations where personal information, login credentials, and financial data were at risk on the same device. (microsoft.com) The weak point was not the wallet brand or finance app brand on the icon. The weak point was the shared third-party component inside many different apps, which means one supplier’s mistake can spread across dozens of unrelated products at once. (microsoft.com, techrepublic.com) Microsoft said it reported the bug to EngageLab in April 2025 and that a patch was released in version 4.6.8 in November 2025. Microsoft also said every app it found using vulnerable versions has since been removed from Google Play, which cuts off new downloads but does not automatically erase old copies already installed on phones. (microsoft.com, thehackernews.com) This is why old software development kits are such a headache for mobile security teams. An app can look updated on the surface while still carrying an outdated code package underneath, the way a renovated house can still have dangerous wiring behind the walls. (microsoft.com, techrepublic.com) A separate case shows the same supply-chain problem from the company side instead of the phone side. Figure Technology Solutions disclosed that attackers accessed data through database queries tied to loan and inquiry records, and reports on the incident say about 967,000 user records were exposed after a January 28, 2026 breach. (marketwatch.com, bleepingcomputer.com) Security researchers and breach reports are pointing at the same pattern from two directions. On phones, a hidden vendor library can open a door across millions of apps, and in finance back ends, one compromised system or partner can spill data for nearly a million people in a single hit. (microsoft.com, securityweek.com) For users, the practical fix is boring but effective: update apps, delete apps that have not been updated in months, and be extra careful about installing second apps that ask for broad permissions on the same phone as a wallet or banking app. For developers, Microsoft’s warning was simpler still: track every software development kit inside the app, remove deprecated versions fast, and treat third-party code like first-party risk. (microsoft.com, techrepublic.com)
