Microsoft Exposes Critical Android SDK Flaw Putting 50 Million Users at Risk

Microsoft researchers have disclosed a serious Android security vulnerability in a widely used third-party software development kit (SDK), warning that it could have exposed more than 50 million users to potential data theft and malicious attacks.

The flaw was found in the EngageLab SDK, a popular tool used by Android app developers to manage push notifications. Because the SDK is integrated directly into applications, it operates with the same permissions and trust level as the host app, giving it access to sensitive user data and internal app functions.

According to Microsoft’s findings, the vulnerability arises from how the SDK handles communication between apps. Specifically, it incorrectly processes external messages, treating them as trusted internal commands. This design flaw allows malicious apps installed on the same device to send specially crafted messages that the SDK may interpret as legitimate instructions.

Although the issue has since been patched, Microsoft stated that many apps were still running vulnerable versions at the time of discovery, potentially exposing over 50 million Android users. Among these, more than 30 million installations involved cryptocurrency wallet applications, raising concerns about possible financial theft and credential leakage.

Android has since taken action by removing affected applications from the Google Play Store after being alerted to the issue.

How the Vulnerability Works

The EngageLab SDK is designed to simplify push notifications for developers by integrating deeply into Android applications. It operates within the app’s secure environment and inherits all granted permissions, allowing it to access internal data and system functions.

The SDK uses Android’s inter-app communication system, known as intents, to send and receive messages. These intents allow apps and components to communicate both internally and externally.

However, Microsoft identified a critical flaw in how the SDK handles these intents. It exposes certain components that can be accessed by other apps, assuming that incoming requests are safe and originate from trusted sources.

A malicious application installed on the same device can exploit this weakness by sending a specially crafted message. Since the SDK fails to properly verify the origin of the request, it accepts and executes the command.

Once exploited, the SDK could be tricked into performing sensitive actions such as accessing private files, triggering internal app processes, or exposing credentials including cryptocurrency wallet keys. Microsoft described this as an “intent redirection vulnerability,” a form of trust abuse where a privileged component executes unauthorized external commands.

Impact and Risk

Microsoft’s investigation revealed that the vulnerable SDK was present in apps with more than 50 million total installations. A significant portion of these were crypto-related applications, increasing the potential risk of financial theft.

While no active exploitation has been confirmed so far, security experts warned that the scale of exposure makes it a serious concern if attackers were to weaponize the flaw before users updated affected apps.

Discovery and Response

Microsoft identified the issue during routine security research and disclosed it to EngageLab in April 2025. The company addressed the vulnerability in SDK version 5.2.1, released on November 3, 2025.

Following the fix, Microsoft also informed Android authorities, which led to the removal of affected apps from the Play Store to prevent further risk.

Safety Recommendations

Microsoft emphasized that modern app security depends heavily on third-party libraries, and vulnerabilities in these tools can have widespread consequences.

Developers are urged to immediately update any apps using EngageLab SDK versions earlier than 5.2.1 and to carefully evaluate all third-party dependencies before integration.

Users are advised to install apps only from trusted sources, check reviews before downloading, and avoid suspicious or unfamiliar applications—especially those involving financial or crypto services.

Although no known exploitation has been reported, Microsoft stated that the risk remains significant whenever outdated SDKs are still in use across active applications.