- Microsoft discovered a flaw in the EngageLab SDK affecting 50 million Android devices
- Vulnerability allows apps to bypass sandbox and access private data
- At least 30 million installs were crypto apps, fixed in version 5.2.1
According to experts, around 50 million Android devices were running apps with vulnerabilities that allowed malicious actors to access private data stored on these devices. Many of these installs were cryptocurrency apps, which only made the problem worse.
Microsoft security researchers said they have identified an “intent redirection vulnerability” in EngageLab SDK, a popular software development kit that helps build user engagement features such as push notifications or in-app messaging.
“This flaw allows applications on the same device to bypass the Android security sandbox and gain unauthorized access to private data,” Microsoft writes in its report.
Article continues below
Removing vulnerable apps
Intent is a mechanism in Android, used for communication between applications (or between multiple components within a single application). It acts as a message object carrying data and instructions, allowing one component to request an action from another (such as opening an activity or triggering a function).
Although any application can send an intent, whether it is accepted depends on the identity and permissions of the sending application.
Microsoft did not specify which apps contained the vulnerable SDK, but said at least 30 million downloads were for cryptocurrency apps. The bug was discovered in April 2025, in version 4.5.4. It was patched in November of the same year, in version 5.2.1.
All apps created with the buggy SDK have been removed from Google’s Play Store, it has been reported.
Microsoft also said it found no evidence of malicious actors discovering this flaw beforehand and using it as a zero-day in real-world attacks. However, developers are advised to update the SDK to the latest version as soon as possible.
“This case highlights how weaknesses in third-party SDKs can have large-scale security implications, particularly in high-value industries like digital asset management,” Microsoft said. “Applications increasingly rely on third-party SDKs, creating significant and often opaque supply chain dependencies. These risks increase when integrations expose exported components or rely on trust assumptions that are not validated across application boundaries.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
