Details emerged about a now-patched security vulnerability in the EngageLab SDK that could have exposed millions of cryptocurrency wallet users after apps using version 4.5.4 were found vulnerable. Microsoft Defender said the intent redirection flaw allowed apps on the same device to bypass the Android sandbox and access private data, prompting removal from Google Play and an EngageLab patch (v5.2.1). #EngageLab #MicrosoftDefender
Keypoints
- The EngageLab SDK contained an intent redirection vulnerability in version 4.5.4 that could bypass Android sandbox protections.
- Wallet apps using the vulnerable SDK accounted for more than 30 million installations, with total affected installs exceeding 50 million when non‑wallet apps are included.
- A malicious app installed on the same device could exploit the flaw to access internal directories and sensitive data of apps integrating the SDK.
- Microsoft Defender disclosed the issue; affected apps detected on Google Play were removed and EngageLab released a fix in version 5.2.1 in November 2025.
- No evidence of real‑world exploitation was found, but developers are strongly advised to update immediately to mitigate supply‑chain risks.
Read More: https://thehackernews.com/2026/04/engagelab-sdk-flaw-exposed-50m-android.html