ENGAGELAB’S Android SDK vulnerability, now patched, could have affected millions of users, with more than 30 million crypto wallet installations and over 50 million total installations identified as using the affected version range. According to Microsoft Defender Security Research Team, the flaw allows apps on the same device to bypass the Android sandbox and access private data, an issue described as an intent redirection vulnerability in version 4.5.4.
Following responsible disclosure in April 2025, EngageLab released version 5.2.1 in November 2025 to address the vulnerability, and Google Play Store removals were noted for all detected apps using vulnerable SDK versions. There is no evidence that the vulnerability was exploited in a malicious context, but developers are urged to update to the latest version as a precaution given the potential cascading impacts on devices.
EngageLab’s push notifications service is designed to deliver timely notifications based on developer-tracked user data, and the case illustrates how weak third‑party SDKs can create large, supply‑chain security risks in high‑value sectors like digital asset management.