A critical vulnerability in the EngageLab SDK has exposed up to 50 million Android users to potential data breaches, with a significant portion of those affected being crypto wallet users, totaling over 30 million installs. Microsoft researchers discovered the flaw, which allowed malicious apps to bypass Android's sandbox security features and access sensitive information. The vulnerability was addressed in version 5.2.1 of the EngageLab SDK following a coordinated disclosure, and apps using the vulnerable SDK were removed from the Google Play store. Fortunately, there have been no confirmed instances of active exploitation1. The case underscores the risks associated with third-party software development kits and the importance of rigorous security testing. This matters to practitioners because it highlights the need for ongoing vigilance in securing mobile devices and protecting user data from potential threats posed by vulnerable SDKs.
EngageLab SDK flaw opens door to private data on 50M Android devices
⚡ High Priority
Why This Matters
The flaw put millions of users, including over 30M crypto wallet installs, at risk.
References
- SecurityAffairs. (2026, April 10). EngageLab SDK flaw opens door to private data on 50M Android devices. *SecurityAffairs*. https://securityaffairs.com/190586/hacking/engagelab-sdk-flaw-opens-door-to-private-data-on-50m-android-devices.html
Original Source
SecurityAffairs
Read original →