Microsoft Finds Android SDK Bug That Put 30M Crypto Wallet Installs at Risk of Data Theft

Microsoft security researchers uncovered a critical "intent redirection" vulnerability in EngageLab's push notification SDK that could let any app on the same Android device sidestep sandbox protections and access private data. Crypto wallet apps integrating the affected SDK accounted for more than 30 million installations, while total installations across all impacted apps exceeded 50 million. The issue was traced to EngageLab SDK version 4.5.4, exposing potentially sensitive information in wallet apps—including PII, login credentials and financial data—to theft by malicious apps installed on the same device. Google Play has removed all identified apps using vulnerable SDK versions. Microsoft said it reported the flaw to EngageLab in April 2025, and the vendor shipped a fix in SDK version 5.2.1 in November 2025. The disclosure follows last month's MediaTek boot chain vulnerability (CVE202620435) reported by Ledger's Donjon team, which found attackers with physical USB access could extract wallet seed phrases in 45 seconds from 25% of Android phones. Together, the incidents echo hardware wallet proponents' warnings about keeping crypto on mobile devices.