- Microsoft found EngageLab SDK flaw affecting 50 million Android devices
- Vulnerability lets apps bypass sandboxing and access private data
- At least 30 million installs were crypto apps, patched in v5.2.1
About 50 million Android devices used apps with vulnerabilities that allowed threat actors to access private data stored on those devices, experts have warned. Many of these installations were cryptocurrency apps, which only added to the problem.
Security researchers from Microsoft said they identified an “intent redirection vulnerability” in the EngageLab SDK, a popular software development kit that helps build user engagement features such as push notifications or in-app notifications.
“This flaw allows apps on the same device to bypass the Android security sandbox and gain unauthorized access to private data,” Microsoft wrote in its report.
The article continues below
Removal of vulnerable apps
Intent is a mechanism in Android used for communication between apps (or between multiple components inside a single app). It acts as a message object that carries data and instructions, enabling one component to request an action from another (such as opening an activity or triggering a function).
Although any app can send an intent, whether it is accepted depends on the identity and permissions of the sending app.
Microsoft did not say which apps contained the vulnerable SDK, but said at least 30 million downloads fell on cryptocurrency apps. The bug was discovered in April 2025 in version 4.5.4. It was fixed in November of that year, in version 5.2.1.
All apps built with the flawed SDK were removed from Google’s Play Store, it said.
Microsoft also stated that it found no evidence that malicious actors discovered this flaw in advance and used it as a zero-day in real attacks. However, developers are encouraged to update the SDK to the latest version as soon as possible.
“This case shows how weaknesses in third-party SDKs can have large-scale security implications, especially in high-value sectors like digital asset management,” Microsoft said. “Apps increasingly rely on third-party SDKs, creating large and often opaque supply chain dependencies. These risks are heightened when integrations expose exported components or rely on trust assumptions that are not validated across app boundaries.”
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
