- Microsoft found a flaw in the EngageLab SDK affecting 50 million Android devices
- Vulnerability allows applications to bypass sandbox and access private data
- At least 30 million installs were crypto apps, patched in v5.2.1
Approximately 50 million Android devices were running apps with vulnerabilities that allowed threat actors to access private data stored on those devices, experts warned. Many of those installations were cryptocurrency apps, which only exacerbated the problem.
Microsoft security researchers said they identified an “intent redirection vulnerability” in EngageLab SDK, a popular software development kit that helps create user engagement features such as push notifications or in-app messages.
“This flaw allows apps on the same device to bypass Android security and gain unauthorized access to private data,” Microsoft wrote in its report.
Article continues below.
Remove vulnerable applications
Intent is a mechanism in Android that is used for communication between applications (or between multiple components within a single application). It acts as a message object that carries data and instructions, allowing one component to request an action from another (such as opening an activity or activating a function).
While any app can send an intent, its acceptance depends on the identity and permissions of the app sending it.
Microsoft did not say which apps contained the vulnerable SDK, but said at least 30 million of the downloads were for cryptocurrency apps. The bug was discovered in April 2025, in version 4.5.4. It was patched in November of the same year, in version 5.2.1.
All apps created with the faulty SDK were said to have been removed from Google’s Play Store.
Microsoft also stated that it found no evidence that malicious actors discovered this flaw beforehand and used it as a zero-day in real-life attacks. However, developers are urged to update the SDK to the latest version as soon as possible.
“This case shows how weaknesses in third-party SDKs can have large-scale security implications, especially in high-value sectors like digital asset management,” Microsoft said. “Applications are increasingly reliant on third-party SDKs, creating large and often opaque dependencies in the supply chain. These risks increase when integrations expose exported components or rely on trusted assumptions that are not validated across application boundaries.”
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
