Particulars have emerged a couple of now-patched safety vulnerability in a extensively used third-party Android software program growth package (SDK) known as EngageLab SDK that might have put tens of millions of cryptocurrency pockets customers at threat.
“This flaw permits apps on the identical system to bypass Android safety sandbox and acquire unauthorized entry to personal knowledge,” the Microsoft Defender Safety Analysis Crew mentioned in a report printed at the moment.
EngageLab SDK presents a push notification service, which, based on its web site, is designed to ship “well timed notifications” primarily based on person habits already tracked by builders. As soon as built-in into an app, the SDK presents a option to ship customized notifications and drive real-time engagement.
The tech big mentioned a major variety of apps utilizing the SDK are a part of the cryptocurrency and digital pockets ecosystem, and that the affected pockets apps accounted for greater than 30 million installations. When non‑pockets apps constructed on the identical SDK are included, the set up rely surpasses 50 million.
Microsoft didn’t reveal the names of the apps, however famous that each one these detected apps utilizing susceptible variations of the SDK have been faraway from the Google Play Retailer. Following accountable disclosure in April 2025, EngageLab launched model 5.2.1 in November 2025 to deal with the vulnerability.
The difficulty, recognized in model 4.5.4, has been described as an intent redirection vulnerability. Intents in Android refer to messaging objects that are used to request an motion from one other app element.
Intent redirection happens when the contents of an intent {that a} susceptible app sends are manipulated by taking benefit of its trusted context (i.e., permissions) to realize unauthorized entry to protected parts, expose delicate knowledge, or escalate privileges throughout the Android setting.
An attacker may exploit this vulnerability by means of a malicious app put in on the system via another means to entry inner directories related to an app that has the SDK built-in, leading to unauthorized entry to delicate knowledge.
There isn’t any proof that the vulnerability was ever exploited in a malicious context. That mentioned, builders who combine the SDK are beneficial to replace to the newest model as quickly as attainable, particularly on condition that even trivial flaws in upstream libraries can have cascading impacts and affect tens of millions of gadgets.
“This case exhibits how weaknesses in third‑social gathering SDKs can have massive‑scale safety implications, particularly in excessive‑worth sectors like digital asset administration,” Microsoft mentioned. “Apps more and more depend on third‑social gathering SDKs, creating massive and infrequently opaque provide‑chain dependencies. These dangers improve when integrations expose exported parts or depend on belief assumptions that aren’t validated throughout app boundaries.”
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s traits at the moment: learn extra, subscribe to our e-newsletter, and turn out to be a part of the NextTech group at NextTech-news.com
