EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs

A critical vulnerability in the EngageLab SDK has exposed over 50 million Android installations, with 30 million being crypto wallet apps. This supply chain security nightmare put sensitive user data at risk for months before patching.

The vulnerability was disclosed in April 2025 but wasn't fully patched until November 2025, leaving millions of users vulnerable for 7+ months. Researchers found the flaw could allow attackers to intercept and manipulate data flowing through affected apps.

With 30 million crypto wallet installations affected, this represents one of the most significant mobile security threats to cryptocurrency users in recent years. The exposure window created perfect conditions for potential theft of private keys, transaction data, and wallet balances.

The EngageLab SDK is widely used by developers for push notifications and analytics, making this a classic supply chain attack. When third-party components have flaws, every app using them inherits the vulnerability - a growing concern in mobile security.

Security experts are urging all Android users, particularly crypto holders, to update their apps immediately and check if they've used any affected applications during the vulnerability window.