Microsoft Uncovers EngageLab SDK Flaw Affecting 50 Million Android Devices
Microsoft security researchers identified a critical intent redirection vulnerability in the EngageLab SDK, a widely used software development kit for Android apps. The flaw, discovered in April 2025, allowed malicious apps on the same device to bypass Android’s security sandbox and access private user data.
The vulnerability affected version 4.5.4 of the SDK, with a patch released in November 2025 (version 5.2.1). At least 50 million Android devices had apps containing the bugged SDK, with 30 million installs tied to cryptocurrency applications, amplifying the potential risk. All vulnerable apps were subsequently removed from the Google Play Store.
While Microsoft found no evidence of active exploitation before the flaw’s discovery, the incident highlights the supply-chain risks posed by third-party SDKs, particularly in high-value sectors like digital asset management. The case underscores how unvalidated trust assumptions in app integrations can lead to large-scale security exposures.
EngageLab cybersecurity rating report: https://www.rankiteo.com/company/engagelab-aurora-mobile
Google Play business community cybersecurity rating report: https://www.rankiteo.com/company/googleplaybiz
"id": "ENGGOO1775838293",
"linkid": "engagelab-aurora-mobile, googleplaybiz",
"type": "Vulnerability",
"date": "4/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '50 million Android devices',
'industry': 'Software Development',
'name': 'EngageLab',
'type': 'SDK Provider'},
{'industry': 'Technology',
'name': 'Google Play Store',
'type': 'App Distribution Platform'},
{'customers_affected': '30 million installs',
'industry': 'FinTech',
'type': 'Cryptocurrency Applications'}],
'attack_vector': 'Intent Redirection',
'data_breach': {'type_of_data_compromised': 'Private user data'},
'date_detected': '2025-04',
'date_resolved': '2025-11',
'description': 'Microsoft security researchers identified a critical intent '
'redirection vulnerability in the EngageLab SDK, a widely used '
'software development kit for Android apps. The flaw allowed '
'malicious apps on the same device to bypass Android’s '
'security sandbox and access private user data. The '
'vulnerability affected version 4.5.4 of the SDK, with a patch '
'released in November 2025 (version 5.2.1). At least 50 '
'million Android devices had apps containing the bugged SDK, '
'with 30 million installs tied to cryptocurrency applications. '
'All vulnerable apps were subsequently removed from the Google '
'Play Store.',
'impact': {'data_compromised': 'Private user data',
'operational_impact': 'Vulnerable apps removed from Google Play '
'Store',
'systems_affected': '50 million Android devices'},
'investigation_status': 'Completed',
'lessons_learned': 'Highlights supply-chain risks posed by third-party SDKs, '
'particularly in high-value sectors like digital asset '
'management. Underscores how unvalidated trust assumptions '
'in app integrations can lead to large-scale security '
'exposures.',
'post_incident_analysis': {'corrective_actions': 'Patch released, vulnerable '
'apps removed from '
'distribution',
'root_causes': 'Unvalidated trust assumptions in '
'app integrations (third-party SDK '
'vulnerability)'},
'references': [{'source': 'Microsoft Security Research'}],
'response': {'containment_measures': 'Vulnerable apps removed from Google '
'Play Store',
'remediation_measures': 'Patch released (EngageLab SDK version '
'5.2.1)'},
'title': 'Microsoft Uncovers EngageLab SDK Flaw Affecting 50 Million Android '
'Devices',
'type': 'Supply Chain Vulnerability',
'vulnerability_exploited': 'Intent redirection vulnerability in EngageLab SDK '
'(version 4.5.4)'}