EngageLab SDK Vulnerability Exposed Over 50 Million Android Devices to Risk

A serious vulnerability has been discovered in the popular Android SDK EngageLab that could have exposed users’ private data. Over 50 million installations, including over 30 million crypto wallets, were at risk.

New data has been discovered about a flaw in the popular third-party android sdk engleab that could have exposed millions of users, including those who use crypto wallets, to security risk.

Researchers at Microsoft Defender identified the issue. They claim that the bug would allow apps running on one device to circumvent android’s security sandbox (a process that separates different app functions) and get direct access to private data from other apps.

• “apps running on one device can now bypass android’s sandboxing, giving them unauthorized access to private user data,” microsoft stated.

Engagelab sdk is commonly used for providing push notifications & personalized user interaction. By utilizing the sdk, apps can send targeted messages to users based on their behavioral patterns and also provide real-time activity tracking. Due to this reason, many mobile services use it.

Approximately 75% of Applications using The EngageLab SDK belong to the cryptocurrency ecosystem. This includes over 30 million crypto wallet installations alone, and in total, including all the Applications built with the sdk, it is estimated to exceed 50 million.

Specific app names are not listed, however it has been confirmed that all Applications using the vulnerable sdk versions have since been removed from the Google Play store. Back in April 2025, microsoft informed engagelab of the potential vulnerability. Shortly thereafter, in November 2025, engagelab issued update version 5.2.1 closing the vulnerability.

The vulnerability exists in sdk version 4.5.4, described as an intent redirection bug. In android, “intent” refers to passing requests between application components. The vulnerability manipulates these requests allowing attackers to utilize the trusted context of the vulnerable application along with its permissions to gain access to restricted components, obtain confidential data, or even escalate privileges within the system.

An attacker would implement the attack by first installing a malicious application. He would then use the vulnerable sdk to gain access to internal directories of other Applications potentially containing sensitive data.

The researchers indicate there is currently no evidence of this vulnerability being utilized in a real-world attack. Nevertheless, they advise developers to immediately update their SDKs; even small errors in third-party libraries can scale exponentially affecting millions of devices.

• “this case illustrates how flaws in third-party SDKs can have large-scale security consequences especially when used within high-risk industries such as digital asset management,” microsoft indicated.

“as more Applications depend upon third-party SDKs; creating large and often opaque dependencies within the supply chain increases risk. Particularly when integrations expose components or are based upon trust assumptions that are not tested within the Applications.”