"The vulnerability was found in EngageLab's EngageSDK, which is designed for managing messaging and push notifications in mobile applications. An attacker can use a malicious app running on the targeted device to send specially crafted intents that leverage the vulnerable app to bypass the Android security sandbox and gain access to sensitive data, including personal information, user credentials, and financial information."
"Microsoft notified EngageLab developers in April 2025. The Android Security Team was also informed the next month due to the vulnerability affecting apps distributed through Google Play. While this is a vulnerability introduced by a third-party SDK, Android's existing layered security model is capable of providing additional mitigations against exploitation of vulnerabilities through intents."
Microsoft security researchers found a critical vulnerability in EngageLab's EngageSDK, used in over 30 million cryptocurrency wallet applications. The flaw involves intent redirection, allowing attackers to manipulate intents sent by vulnerable apps. This could lead to unauthorized access to sensitive data, including personal and financial information. Microsoft notified EngageLab and the Android Security Team about the issue, resulting in the removal of affected apps from Google Play. EngageLab released a patch in November 2025 to address the vulnerability.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]