Full Report
Details have emerged about a now-patched security vulnerability in a widely used third-party Android software development kit (SDK) called EngageLab SDK that could have put millions of cryptocurrency wallet users at risk. "This flaw allows apps on the same device to bypass Android security sandbox and gain unauthorized access to private data," the Microsoft Defender
Analysis Summary
# Vulnerability: Intent Redirection in EngageLab Android SDK
## CVE Details
- **CVE ID:** Not explicitly named in the article (Common for SDK-level flaws which are often referenced by the researcher's internal tracking until full CVE publication).
- **CVSS Score:** Not provided (Estimated High/Critical based on "Bypassing Android security sandbox").
- **CWE:** CWE-926: Improper Export of Android Components (Intent Redirection).
## Affected Systems
- **Products:** EngageLab SDK (Push Notification Service).
- **Versions:** Vulnerability identified in version 4.5.4 (and potentially prior).
- **Configurations:** Android applications integrating vulnerable versions of the SDK, specifically those with high-value data such as cryptocurrency wallets.
## Vulnerability Description
The flaw is a technical "Intent Redirection" vulnerability. In the Android ecosystem, Intents are messaging objects used to request actions from other app components. This vulnerability allows a malicious application installed on the same device to manipulate the contents of an intent sent by the vulnerable app. By taking advantage of the SDK's trusted context and permissions, the attacker can bypass the Android security sandbox to gain unauthorized access to protected components or internal directories (private data) associated with the host application.
## Exploitation
- **Status:** Not exploited in the wild (No evidence of malicious use detected to date); PoC available (Developed/verified by Microsoft Defender Security Research).
- **Complexity:** Medium (Requires a malicious app to be present on the device).
- **Attack Vector:** Local (Requires execution on the same physical device).
## Impact
- **Confidentiality:** High (Unauthorized access to private data, including crypto wallet keys or personal info).
- **Integrity:** Medium (Potential for escalation of privileges within the app environment).
- **Availability:** Low (Primary impact is data exposure).
## Remediation
### Patches
- **EngageLab SDK Version 5.2.1:** Released in November 2025 to officially address the flaw. Developers must update their SDK dependency and re-publish their apps.
### Workarounds
- **Registry/Store Action:** Google has reportedly removed apps using the vulnerable SDK versions from the Play Store. Users should ensure all installed apps are updated to the latest available versions via the storefront.
## Detection
- **Indicators of Compromise:** No specific IOCs (hashes/IPs) provided, as this is a library-level flaw.
- **Detection Methods:**
- **For Developers:** Scan project dependencies for `com.engagelab:engagelab` versions below 5.2.1.
- **For Researchers:** Use static analysis tools to identify exported activities or receivers that handle nested intents without validation.
## References
- **Vendor Advisory:** hxxps://www[.]engagelab[.]com/docs/essentials/developer-guide/client-sdk/android-sdk
- **Microsoft Security Blog:** hxxps://www[.]microsoft[.]com/en-us/security/blog/2026/04/09/intent-redirection-vulnerability-third-party-sdk-android/
- **Original Report:** hxxps://thehackernews[.]com/2026/04/engagelab-sdk-flaw-exposed-50m-android.html