- Microsoft found EngageLab SDK flaw affecting 50 million Android devices
- Vulnerability let apps bypass sandbox and access private data
- At least 30 million installs were crypto apps, patched in v5.2.1
Roughly 50 million Android devices were using apps with vulnerabilities that allowed threat actors to access private data stored on those devices, experts have warned. Many of those installations were cryptocurrency apps, which only made the problem bigger.
Security researchers from Microsoft said they identified an “intent redirection vulnerability” in EngageLab SDK, a popular software development kit that helps build user engagement features such as push notifications or in-app messaging.
“This flaw allows apps on the same device to bypass Android security sandbox and gain unauthorized access to private data,” Microsoft wrote in its report.
Article continues below
Removing vulnerable apps
Intent is a mechanism in Android, used for communication between apps (or between multiple components inside a single app). It acts as a message object carrying data and instructions, allowing a component to request an action from another (such as opening an activity, or triggering a function).
While any app can send an intent, whether it’s accepted depends on the identity and permissions of the sending app.
Microsoft did not say which apps contained the vulnerable SDK but said that at least 30 million of the downloads fell on cryptocurrency apps. The bug was discovered in April 2025, in version 4.5.4. It was patched in November the same year, in version 5.2.1.
All of the apps built with the bugged SDK were removed from Google’s Play Store, it was said.
Microsoft also stated that it found no evidence of malicious actors discovering this flaw beforehand and using it as a zero-day in real-life attacks. However, developers are urged to update the SDK to the newest version as soon as possible.
“This case shows how weaknesses in third‑party SDKs can have large‑scale security implications, especially in high‑value sectors like digital asset management,” Microsoft said. “Apps increasingly rely on third‑party SDKs, creating large and often opaque supply‑chain dependencies. These risks increase when integrations expose exported components or rely on trust assumptions that aren’t validated across app boundaries.”
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/BiyAK4BXKKfecCWadFcHGo-2560-80.jpg
Source link
