EngageLab SDK Sandbox Bypass Exposes 50M Android Users, Including 30M Crypto Wallet Holders
What Happened — A critical sandbox‑bypass vulnerability in the third‑party EngageLab Android SDK allowed any app on the same device to read private data from other apps. The flaw affected roughly 50 million Android devices, of which an estimated 30 million run cryptocurrency‑wallet applications. The issue has been patched, but exploitation was possible in the wild before the fix.
Why It Matters for TPRM —
- Third‑party SDKs can become a supply‑chain attack surface that bypasses OS‑level protections.
- Exposure of crypto‑wallet data can lead to direct financial loss for end‑users and reputational damage for app vendors.
- The large user base amplifies risk to downstream partners and service providers that embed the SDK.
Who Is Affected — Mobile app developers (especially fintech/crypto), cryptocurrency‑wallet providers, Android device users, and any organization that relies on the EngageLab SDK for analytics or engagement features.
Recommended Actions —
- Verify whether any of your mobile applications incorporate the EngageLab SDK (versions < patched release).
- If present, update to the patched SDK version immediately or remove the SDK.
- Conduct a post‑mortem code review to ensure no residual malicious code remains.
- Re‑evaluate third‑party SDK vetting processes and enforce runtime integrity checks.
Technical Notes — The vulnerability leveraged a sandbox‑escape flaw that let co‑resident apps read files and shared preferences of other apps, effectively bypassing Android’s per‑app isolation. No public CVE identifier was assigned at time of reporting. Data at risk included private keys, seed phrases, and other wallet credentials. Source: The Hacker News