{“lastseen”:”2026-04-09T17:43:43″,”description”:”\\n\\nDetails have emerged about a now-patched security vulnerability in a widely used third-party Android software development kit (SDK) called EngageLab SDK that could have put millions of cryptocurrency wallet users at risk.\\n\\n\\”This flaw allows apps on the same device to bypass Android security sandbox and gain unauthorized access to private data,\\” the Microsoft Defender Security Research Team said in a report published today.\\n\\nEngageLab SDK offers a push notification service, which, according to its website, is designed to deliver \\”timely notifications\\” based on user behavior already tracked by developers. Once integrated into an app, the SDK offers a way to send personalized notifications and drive real-time engagement.\\n\\nThe tech giant said a significant number of apps using the SDK are part of the cryptocurrency and digital wallet ecosystem, and that the affected wallet apps accounted for more than 30 million installations. When non\u2011wallet apps built on the same SDK are included, the installation count surpasses 50 million.\\n\\nMicrosoft did not reveal the names of the apps, but noted that all those detected apps using vulnerable versions of the SDK have been removed from the Google Play Store. Following responsible disclosure in April 2025, EngageLab released version 5.2.1 in November 2025 to address the vulnerability.\\n\\nThe issue, identified in version 4.5.4, has been described as an intent redirection vulnerability. Intents in Android refer to messaging objects that are used to request an action from another app component.\\n\\nIntent redirection occurs when the contents of an intent that a vulnerable app sends are manipulated by taking advantage of its trusted context (i.e., permissions) to gain unauthorized access to protected components, expose sensitive data, or escalate privileges within the Android environment.\\n\\nAn attacker could exploit this vulnerability by means of a malicious app installed on the device through some other means to access internal directories associated with an app that has the SDK integrated, resulting in unauthorized access to sensitive data.\\n\\nThere is no evidence that the vulnerability was ever exploited in a malicious context. That said, developers who integrate the SDK are recommended to update to the latest version as soon as possible, especially given that even trivial flaws in upstream libraries can have cascading impacts and impact millions of devices.\\n\\n\\”This case shows how weaknesses in third\u2011party SDKs can have large\u2011scale security implications, especially in high\u2011value sectors like digital asset management,\\” Microsoft said. \\”Apps increasingly rely on third\u2011party SDKs, creating large and often opaque supply\u2011chain dependencies. These risks increase when integrations expose exported components or rely on trust assumptions that aren\u2019t validated across app boundaries.\\”\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2026-04-09T17:26:00″,”modified”:”2026-04-09T17:26:19″,”type”:”thn”,”title”:”EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallets”,”source”:””,”references”:””,”id”:”THN:1FD03A0B6114E6C5144A68CE7A31340A”,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2026\/04\/engagelab-sdk-flaw-exposed-50m-android.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-09T17:43:43″,”description”:”\\n\\nDetails have emerged about a now-patched security vulnerability in a widely used third-party Android software development kit (SDK) called EngageLab SDK that could have put…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-42739","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n