- Around 50 million Android devices were affected by a flawed EngageLab SDK
- The bug allowed apps to bypass Android sandbox protections
- Over 30 million affected installs were linked to crypto apps
- The issue was patched in version 5.2.1 and affected apps were removed
A newly disclosed security flaw has raised fresh concerns about the risks buried inside third party mobile components. Researchers at Microsoft have identified a serious vulnerability in the EngageLab SDK, a tool commonly used by Android developers to power features like push notifications and in app messaging.
The issue, which persisted in older versions of the SDK, potentially exposed sensitive user data across tens of millions of devices.
According to the findings, around 50 million Android devices were running apps that included the vulnerable SDK. What makes this discovery more alarming is the nature of the affected apps. A significant portion, estimated at over 30 million installs, were tied to cryptocurrency platforms where financial data and credentials are particularly valuable targets.
How the flaw worked and why it mattered
The vulnerability stems from what security experts describe as an intent redirection issue. On Android, intents act as a communication bridge between apps or between different components within the same app. They allow one part of the system to request actions from another, often carrying data along the way.
Under normal circumstances, Android’s sandboxing mechanism ensures that apps operate in isolation, preventing unauthorized access to sensitive information. However, the flawed SDK weakened this protection. It allowed malicious apps on the same device to exploit the communication mechanism and bypass standard security boundaries.
In practical terms, this meant that a rogue app could potentially intercept or access private data belonging to another app. This could include login credentials, personal messages, or even financial information depending on the targeted application.
Timeline of discovery and response
Microsoft’s security team first identified the flaw in April 2025, tracing it to EngageLab SDK version 4.5.4. The issue remained unresolved until November 2025, when a patched version, 5.2.1, was released.
By the time the fix became available, millions of devices had already been exposed through apps that integrated the vulnerable version. In response, all affected applications were removed from the Google Play Store to limit further risk.
Despite the scale of exposure, there is currently no evidence that attackers exploited the vulnerability in real world scenarios. Microsoft noted that it did not find signs of the flaw being used as a zero day exploit. Still, the absence of confirmed attacks does not reduce the seriousness of the issue.
A broader warning about third party dependencies
Beyond the immediate impact, this incident highlights a deeper and growing problem in the mobile ecosystem. Modern apps rely heavily on third party SDKs to accelerate development and add advanced features. While convenient, these dependencies often introduce hidden risks.
Developers may not fully audit or understand the internal workings of the SDKs they integrate. When vulnerabilities emerge, they can ripple across thousands of apps simultaneously, creating large scale exposure in a short time.
Microsoft emphasized that such supply chain risks are particularly dangerous in high value sectors like cryptocurrency and financial services. In these environments, even a small weakness can have outsized consequences.
The company is urging developers to update to the latest SDK versions immediately and to adopt stricter validation practices when integrating external components. Ensuring that app components do not blindly trust incoming data or requests is now more critical than ever.
What users should take away
For everyday users, the situation serves as a reminder that app security is not always visible or within their control. Even trusted apps can carry hidden vulnerabilities if they rely on outdated or insecure components.
Keeping apps updated, avoiding unnecessary installations, and being cautious with app permissions remain the best lines of defense. While this particular flaw may not have been actively exploited, it underscores how quickly things can go wrong at scale.
Follow TechBSB For More Updates
