EngageLab SDK Flaw Exposed to 50M Android Users, Including 30M Crypto Wallets
Details have emerged about a security vulnerability embedded in a widely used Android software development kit (SDK) called EngageLab SDK that may have put millions of cryptocurrency users at risk.
“This flaw allows apps on the same device to bypass Android’s security sandbox and gain unauthorized access to private data,” the Microsoft Defender Security Research Team said in a report published today.
The EngageLab SDK provides an in-app notification service, which, according to its website, is designed to deliver “timely notifications” based on user behavior that developers are tracking. Once integrated into an app, the SDK provides a way to send personalized notifications and drive real-time interactions.
The tech giant said that a significant number of applications using the SDK are part of the cryptocurrency and digital wallet ecosystem, and that the affected wallet applications accounted for more than 30 million installations. If non-wallet applications built on the same SDK are included, the number of installations exceeds 50 million.
Microsoft did not disclose the names of the apps, but noted that all those apps found to be using vulnerable versions of the SDK have been removed from the Google Play Store. Following the responsible disclosure in April 2025, EngageLab released version 5.2.1 in November 2025 to address the vulnerability.
The problem, identified in version 4.5.4, is described as an intent redirection vulnerability. Intents in Android refer to message objects that are used to request an action from another part of the application.
Intent redirection occurs when the intent content sent by a vulnerable application takes advantage of the trusted context (ie, permissions) to gain unauthorized access to secure components, expose sensitive data, or escalate privileges within the Android environment.
An attacker can exploit this vulnerability with a malicious application installed on the device through other means of accessing the internal directory associated with the application bundled with the SDK, resulting in unauthorized access to sensitive data.
There is no evidence that the risk has been used in a risky context. That said, developers compiling the SDK are advised to update to the latest version as soon as possible, especially given that even small bugs in upstream libraries can have the effect of breaking and affecting millions of devices.
“This case shows that weaknesses in third-party SDKs can have significant security implications, especially in high-value sectors such as digital asset management,” Microsoft said. “Applications increasingly rely on third-party SDKs, creating large and often invisible dependencies. These risks increase when integration exposes exported components or relies on unverified reliable assumptions about all application parameters.”
