A serious security vulnerability has been discovered in the widely used EngageLab Android SDK, potentially putting more than 50 million users at risk, including over 30 million cryptocurrency wallet users. The flaw, identified by Microsoft’s security researchers, allowed malicious apps on the same device to bypass Android’s sandbox protections and gain unauthorized access to sensitive data. (The Hacker News)

The EngageLab SDK, commonly integrated into apps for push notifications and user engagement, was found to contain an “intent redirection” vulnerability. This issue could be exploited by a malicious application to manipulate trusted app components, access internal storage, and escalate privileges without user consent. (The Hacker News)

Researchers noted that many affected apps belonged to the crypto and digital wallet ecosystem, significantly increasing the potential impact. Although there is no evidence that the vulnerability was actively exploited in real-world attacks, the risk remained high due to the scale of affected installations. (The Hacker News)

The flaw was responsibly disclosed in April 2025, and EngageLab addressed the issue with a patched version (v5.2.1) released in November 2025. Google has since removed apps using vulnerable SDK versions from the Play Store to mitigate further risk. (The Hacker News)

Security experts warn that this incident highlights the growing dangers of third-party SDK dependencies, especially in high-value sectors like cryptocurrency, where even minor vulnerabilities can have large-scale consequences. (The Hacker News)